Reputation: 6907
Django: allow safe html tags
Im looking into XSS with various frameworks and CMS and whether they provide methods in protecting against it (not just programmaticly avoiding the situation).
I know that in Djangos templating language you can specify a variable as |safe I want to be able to allow actually safe html tags so the user can format text (simple things like etc), but strip such things as , onload attributes etc.
I would like to know whether Django recommends a method in doing this, not just using Python. I hope this makes sense
Jason
Upvotes: 1
Views: 2055
Answers (1)
Reputation: 2832
One of the core concepts of Django is that it's Python, and any Python lib should be usable with Django. They won't recreate the wheel unless there is good reason to. I believe HTML scrubbing/sanitizing is one of the things they've decided not to recreate.
BeautifulSoup is the python library you want to look into for any scrubbing/sanitizing though.
Upvotes: 1
Related Questions
- How to prevent XSS attacks when I need to render HTML from a WYSIWYG editor?
- Django Template – Mark only certain HTML tags as safe
- Django escape only certain HTML tags
- How to avoid escape for Django tags in HTML
- How in Django/Python can I ensure safety from WYSIWYG-entered HTML?
- preventing xss hole in django
- Django: Safely validating untrusted HTML input
- I want to use text-style tags in django, but I don't want to be XSSed
- Markdown in Django XSS safe
- Django, allowing user to use embed/object html and XSS protection