tags:

views:

279

answers:

5
+3  Q: 

Is there an Open Source Python library for sanitizing HTML and removing all Javascript?

I want to write a web application that allows users to enter any HTML that can occur inside a <div> element. This HTML will then end up being displayed to other users, so I want to make sure that the site doesn't open people up to XSS attacks.

Is there a nice library in Python that will clean out all the event handler attributes, <script> elements and other Javascript cruft from HTML or a DOM tree?

I am intending to use Beautiful Soup to regularize the HTML to make sure it doesn't contain unclosed tags and such. But, as far as I can tell, it has no pre-packaged way to strip all Javascript.

If there is a nice library in some other language, that might also work, but I would really prefer Python.

I've done a bunch of Google searching and hunted around on pypi, but haven't been able to find anything obvious.

Related

A: 

You could use BeautifulSoup. It allows you to traverse the markup structure fairly easily, even if it's not well-formed. I don't know that there's something made to order that works only on script tags.

kprobst  2009-12-06 08:57:53
I know about Beautiful Soup and was thinking of using it for checking the well-formedness of the HTML and cleaning it up a bit. I was hoping though for something that specifically would remove all Javascript.
Omnifarious  2009-12-06 09:01:22
A: 

I would honestly look at using something like bbcode or some other alternative markup with it.

MrStatic  2009-12-06 08:58:08
I absolutely detest those things when I encounter them. Every web page seems to have their own weird variant markup language that isn't HTML. And I despise them all, especially since most of them didn't rationally consider ways to escape things or how the various bits of markup would combine.I don't want to add to the horror that already exists out there.
Omnifarious  2009-12-06 09:03:11
+5  A: 

As Klaus mentions, the clear consensus in the community is to use BeautifulSoup for these tasks:

soup = BeautifulSoup.BeautifulSoup(html)
for script_elt in soup.findAll('script'):
    script_elt.extract()
html = str(soup)
Ned Batchelder  2009-12-06 13:03:37
What about all the event attributes?
Omnifarious  2009-12-06 14:33:25
On second thought, since you are doing this to prevent security problems, you really do need a whitelist of allowed markup. There are just too many different ways to sneak bad content past blacklist filters.
Ned Batchelder  2009-12-06 16:56:27
+4  A: 

Whitelist approach to allowed tags, attributes and their values is the only reliable way. Take a look at Recipe 496942: Cross-site scripting (XSS) defense

What is wrong with existing markup languages such as used on this very site?

J.F. Sebastian  2009-12-06 16:33:27
The problem with them is that almost all of them (except for the one used on this site) have strange special cases that aren't accounted for in the markup. For example, how do you bold and italicize something? Or what if you want something in a link quoted? What if you need to use one of the delimiter characters somewhere? It's both ugly, ill-defined and inflexible. The whitelist approach sounds like a plan though.
Omnifarious  2009-12-07 04:59:42
A: 

Eric,

Have you thought about using a 'SAX' type parser for the HTML? I'm really not sure though that it would ignore the events properly though. It would also be a bit harder to construct than using something like Beautiful Soup. Handling syntax errors may be a problem with SAX as well.

What I like to do in situations like this is to construct python objects (subclassed from an XML_Element class) from the parsed HTML. Then remove any undesired objects from the tree, and finally re-serialize the objects back to html. It's not all that hard in python.

Regards,

RL Drenth  2009-12-07 03:03:28

related questions

Programmatically talking to a Serial Port in OS X or Linux
Best ways to teach a beginner to program?
Calling a Function From a String With the Function's Name in Python
An executable Python app
Text Editor For Linux (Besides Vi)?
What Hosting Service is best for Django applications?
File size differences after copying a file to a server vía FTP
Python: what is the difference between (1,2,3) and [1,2,3], and when should I use each?
Python: What OS am I running on?
How do I make a menu in python that does not require the user to press (enter) to make a selection?
How do you express binary literals in Python?
What is the most efficient graph data structure in Python?
Adding a Method to an Existing Object
How to learn Python: Good Example Code?
How do I use Python's itertools.groupby()?
Python and MySQL
Class views in Django
Is there an IDE that provides code completion for Python
Using 'in' to match an attribute of Python objects in an array
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Continuous Integration System for a Python Codebase
Get a preview jpeg of a pdf on windows?
How can I find the full path to a font from its display name on a Mac?
XML Processing in Python