Convert basic HTML into DraftJS JSON format.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for NyanKiyoshi from gravatar.com NyanKiyoshi

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers

Project description

DraftJS Sanitizer

Sanitizes a DraftJS JSON format from a dict to allow saving. Allows safe dumping into a string in order to prevent injection of quotes and HTML entities.

Build Status Coverage Status Version

Supported versions Supported implementations

Installation

pip install draftjs-sanitizer

Usage

Remove known exploits

This removes any URLs that could be used for XSS attacks by linking raw javascript code.

from draftjs_sanitizer import clean_draft_js


clean_draft_js({
    "blocks": [
        {
            "key": "an6ci",
            "data": {},
            "text": "Get Saleor today!",
            "type": "unstyled",
            "depth": 0,
            "entityRanges": [
                {
                    "key": 0,
                    "length": 17,
                    "offset": 0
                }
            ],
            "inlineStyleRanges": []
        }
    ],
    "entityMap": {
        "0": {
            "data": {
                "url": "javascript:alert('Oopsie!');"
            },
            "type": "LINK",
            "mutability": "MUTABLE"
        }
    }
})

Dump JSON for HTML Usage

This allows to run it as a filter in order to prevent any injection or bypass when putting the JSON into HTML code.

from draftjs_sanitizer import to_string

dumped_json = to_string({"block": "</div><script>alert('Oopsie!');</script>"})

Example 1: attribute bypass

<div data-draft-js-json='{"block": "'<script>alert('Oopsie!');</script>"}'></div>

Example 2: bypass inner HTML

<div>
    {"block": "</div><script>alert('Oopsie!');</script>"}
</div>

Supported Checks

Type Entities Description
Javascript URL IMAGE, LINK Prevent injecting javascript through the javascript protocol into a URL.
Invalid URL IMAGE, LINK Removes any invalid URL from the JSON content.
Dangerous Characters any Removes any sensible character for HTML incorporation: ", ', <, >.

Development

./setup.py develop
pip install -r requirements_dev.txt

You can easily extend the behaviors through:

  • draftjs_sanitizer.encoder.DraftJSSafeEncoder
  • draftjs_sanitizer.sanitizer.DraftJSSanitizer

Dependencies

  • urllib3 for RFC 3986 parsing and validation of URLs.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for NyanKiyoshi from gravatar.com NyanKiyoshi

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers

Release history Release notifications | RSS feed

1.0.0

This version

0.0.0.dev2 pre-release

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

draftjs-sanitizer-0.0.0.dev2.tar.gz (6.1 kB view details)

Uploaded Source

File details

Details for the file draftjs-sanitizer-0.0.0.dev2.tar.gz.

File metadata

  • Download URL: draftjs-sanitizer-0.0.0.dev2.tar.gz
  • Upload date:
  • Size: 6.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/40.8.0 requests-toolbelt/0.9.1 tqdm/4.32.2 CPython/3.7.2

File hashes

Hashes for draftjs-sanitizer-0.0.0.dev2.tar.gz
Algorithm Hash digest
SHA256 0a4ce50f855057a6e4d59f51de9389dd1926a9b27f54837582f294d0be616cf9
MD5 670565a39b825f8d319fc1f2d55af72a
BLAKE2b-256 bb75601c9d71f3fa92e5538501572f48daccd17a6924449bd3bd31b30b24ba3d

See more details on using hashes here.

Provenance

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page