views:

295

answers:

3

I have some html (in this case created via TinyMCE) that I would like to add to a page. However, for security reason, I don't want to just print everything the user has entered.

Does anyone know of a templatetag (a filter, preferably) that will allow only a safe subset of html to be rendered?

I realize that markdown and others do this. However, they also add additional markup syntax which could be confusing for my users, since they are using a rich text editor that doesn't know about markdown.

A: 

You can use removetags to specify list of tags to be remove:

{{ data|removetags:"script" }}
Aleksei Potov
-1 This is worse than nothing, as it gives the illusion of security with no real benefits. There are a million ways around this kind of blacklisting approach.
Carl Meyer
+4  A: 

There's removetags, but it's a blacklisting approach which fails to remove tags when they don't look exactly like the well-formed tags Django expects, and of course since it doesn't attempt to remove attributes it is totally vulnerable to the 1,000 other ways of script-injection that don't involve the <script> tag. It's a trap, offering the illusion of safety whilst actually providing no real security at all.

HTML-sanitisation approaches based on regex hacking are almost inevitably a total fail. Using a real HTML parser to get an object model for the submitted content, then filtering and re-serialising in a known-good format, is generally the most reliable approach.

If your rich text editor outputs XHTML it's easy, just use minidom or etree to parse the document then walk over it removing all but known-good elements and attributes and finally convert back to safe XML. If, on the other hand, it spits out HTML, or allows the user to input raw HTML, you may need to use something like BeautifulSoup on it. See this question for some discussion.

Filtering HTML is a large and complicated topic, which is why many people prefer the text-with-restrictive-markup languages.

bobince
+1  A: 

I use this snippet.

shanyu