tags:

views:

194

answers:

1
Q: 

Django, allowing user to use embed/object html and XSS protection

For the site i am building i would like the users to be able to provide embed codes for video and audio sites. i know this poses a security risk, so i wanted to find out, within Django, how best to filter the html provided so that only certain tags and certain sites are allowed.

Does anyone have any references to how i can accomplish this with Django?

+1  A: 

You may be better off using a lightweight markup language and then converting to HTML. This prevents them from playing games to get around whatever HTML checking you do. Fully and correctly checking HTML for 'gotchas' is very difficult to do.

Doing it this way is sort of from the school of That which is not explicitly permitted is prohibited.

Peter Rowell  2010-01-07 18:17:06
If you use creoleparser (http://pypi.python.org/pypi/Creoleparser/0.6.1), you can create macros that generate the embed code (e.g. define a `youtube` macro so people can use `<<youtube some_video_id>>` in their markup, a `googlevideo` macro, etc.).
LeafStorm  2010-01-07 22:41:57
@LeafStorm: Thanks for the link. I hadn't seen this particular one before.
Peter Rowell  2010-01-07 22:54:02

related questions

Django: Print url of view without hardcoding the url
Django Calendar Widget?
Can the HTTP version or headers affect the visual appearance of a web page?
Project design / FS layout for large django projects
Extending the User model with custom fields in Django
How to generate urls in django
Always including the user in the django template context
Screencasts for Django/Python?
Using Django time/date widgets in custom form
How do I add data to an existing model in Django?
Setup django with WSGI and apache
Altering database tables in Django
Django Templates and variable attributes.
Django ImageField core=False in newforms admin
How can I render a tree structure (recursive) using a django template?
Cleanest & Fastest server setup for Django
Unicode vs UTF-8 confusion in Python / Django?
Does Hostmonster support Django
Specifying a mySQL ENUM in a Django model
Represent Ordering in a Relational Database
updating an auto_now DateTimeField in a parent model w/ Django
Version track, automate DB schema changes with django
Learning Ruby on Rails any good for Grails?
What Hosting Service is best for Django applications?
Class views in Django