Skip to main content

Convert basic HTML into DraftJS JSON format.

Project description

DraftJS Sanitizer

Sanitizes a DraftJS JSON format from a dict to allow saving. Allows safe dumping into a string in order to prevent injection of quotes and HTML entities.

Build Status Coverage Status Version

Supported versions Supported implementations

Installation

pip install draftjs-sanitizer

Usage

Remove known exploits

This removes any URLs that could be used for XSS attacks by linking raw javascript code.

from draftjs_sanitizer import clean_draft_js


clean_draft_js({
    "blocks": [
        {
            "key": "an6ci",
            "data": {},
            "text": "Get Saleor today!",
            "type": "unstyled",
            "depth": 0,
            "entityRanges": [
                {
                    "key": 0,
                    "length": 17,
                    "offset": 0
                }
            ],
            "inlineStyleRanges": []
        }
    ],
    "entityMap": {
        "0": {
            "data": {
                "url": "javascript:alert('Oopsie!');"
            },
            "type": "LINK",
            "mutability": "MUTABLE"
        }
    }
})

Dump JSON for HTML Usage

This allows to run it as a filter in order to prevent any injection or bypass when putting the JSON into HTML code.

from draftjs_sanitizer import to_string

dumped_json = to_string({"block": "</div><script>alert('Oopsie!');</script>"})

Example 1: attribute bypass

<div data-draft-js-json='{"block": "'<script>alert('Oopsie!');</script>"}'></div>

Example 2: bypass inner HTML

<div>
    {"block": "</div><script>alert('Oopsie!');</script>"}
</div>

Supported Checks

Type Entities Description
Javascript URL IMAGE, LINK Prevent injecting javascript through the javascript protocol into a URL.
Invalid URL IMAGE, LINK Removes any invalid URL from the JSON content.
Dangerous Characters any Removes any sensible character for HTML incorporation: ", ', <, >.

Development

./setup.py develop
pip install -r requirements_dev.txt

You can easily extend the behaviors through:

  • draftjs_sanitizer.encoder.DraftJSSafeEncoder
  • draftjs_sanitizer.sanitizer.DraftJSSanitizer

Dependencies

  • urllib3 for RFC 3986 parsing and validation of URLs.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

draftjs-sanitizer-1.0.0.tar.gz (6.1 kB view details)

Uploaded Source

File details

Details for the file draftjs-sanitizer-1.0.0.tar.gz.

File metadata

  • Download URL: draftjs-sanitizer-1.0.0.tar.gz
  • Upload date:
  • Size: 6.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/40.8.0 requests-toolbelt/0.9.1 tqdm/4.32.2 CPython/3.7.2

File hashes

Hashes for draftjs-sanitizer-1.0.0.tar.gz
Algorithm Hash digest
SHA256 4603a9296153cd06d5a1d76a45a1ff0295363516af983d8dde28cafc5cd67583
MD5 e27053ef0d7645b07f175c22ce317a7b
BLAKE2b-256 586cba91295b18cf371cab6e7f93f2117eea802ab8e1e491f78ab1361575d07a

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page