Sanitizes input data to prevent XSS i.e. cross site scripting attacks.
Project description
A tool for removing malicious content from input data before saving data into database. It takes input containing HTML with XSS scripts and returns valid HTML in the output. It is a wrapper around Python’s bleach library to easily integrate it with Django framework and it implements whitelist based approach to remove harmful content.
Setup
Install input-sanitizer via pip:
pip install input-sanitizer
Add input-sanitizer to your INSTALLED_APPS:
INSTALLED_APPS = [ # ... 'input_sanitizer', # ... ]Add default configurations for allowed tags, etc in settings.py. These configurations are optional and will defaults to using the bleach defaults. Refer to bleach documentation for their use:
# tags which are allowed BLEACH_ALLOWED_TAGS = ["div", "section", "a", "i"] # remove all tags from input BLEACH_STRIP_TAGS = True # remove comments, or allow them in BLEACH_STRIP_COMMENTS = True
Usage
In Django Models
input-sanitizer provides two custom model fields SanitizedCharField and SanitizedTextField to automatically remove malicious content from input before saving data into database, but keep in mind that it won’t work with bulk update, bulk create, etc as these operations are done at the database level. You can still manually sanitize input data to use for bulk update, bulk create, etc operations.
# in models.py
from django import models
from input_sanitizer import sanitized_models
class User(models.Model):
username = sanitized_models.SanitizedCharField()
info = sanitized_models.SanitizedTextField()SanitizedCharField and SanitizedTextField may take following arguments to alter cleaning behaviour. Please, refer to bleach documentation for their use:
allowed_tags: Tags which are allowed
strip_comments: Remove comments from data
strip_tags: Remove all tags from data
SanitizedCharField is a extension of Django model’s CharField and therefore, it will accept all normal CharField arguments.
SanitizedTextField is a extension of Django model’s TextField and therefore, it will accept all normal TextField arguments.
In Django Forms
SanitizedCharField and SanitizedTextField fields can be used to clean XSS content from form fields while validating and saving the form data.
# in forms.py
from django import forms
from input_sanitizer import sanitized_forms
class User(forms.ModelForm):
username = sanitized_forms.SanitizedCharField()
info = sanitized_forms.SanitizedTextField()SanitizedCharField and SanitizedTextField may take following arguments to alter cleaning behaviour. Please, refer to bleach documentation for their use:
allowed_tags: Tags which are allowed
strip_comments: Remove comments from data
strip_tags: Remove all tags from data
SanitizedCharField and SanitizedTextField fields will return validation errors if these fields are required. You can provide following arguments to customize error messages. FIELD_ERROR takes precedence over FIELD_NAME while returning error message.
FIELD_ERROR: Error message
FIELD_NAME: Field name
SanitizedCharField is a extension of Django form’s CharField. It will accept all normal CharField arguments.
SanitizedTextField is a extension of Django form’s TextField. It will accept all normal TextField arguments.
In DRF Serializers
SanitizedCharField and SanitizedTextField fields can be used to clean XSS content from serializer fields while validating and saving the serializer data.
# in serializers.py
from rest_framework import serializers
from input_sanitizer import sanitized_serializers
class User(serializers.ModelSerializer):
username = sanitized_serializers.SanitizedCharField()
info = sanitized_serializers.SanitizedTextField()SanitizedCharField and SanitizedTextField may take following arguments to alter cleaning behaviour. Please, refer to bleach documentation for their use:
allowed_tags: Tags which are allowed
strip_comments: Remove comments from data
strip_tags: Remove all tags from data
SanitizedCharField and SanitizedTextField fields will return validation errors if these fields are required. You can provide following arguments to customize error messages. FIELD_ERROR takes precedence over FIELD_NAME while returning error message.
FIELD_ERROR: Error message
FIELD_NAME: Field name
SanitizedCharField is a extension of DRF serializer’s CharField. It will accept all normal CharField arguments.
SanitizedTextField is a extension of DRF serializer’s TextField. It will accept all normal TextField arguments.
In Views
To manually sanitize data, you can use sanitize_data function. It can be used to sanitize data to be used for bulk update, bulk create, etc.
from input_sanitizer import sanitizers
cleaned_data = sanitizers.sanitize_data(data, bleach_kwargs={})bleach_kwargs arguments are optional and will default to using the bleach defaults. You may pass following arguments to alter cleaned output as per your requirement.
allowed_tags: Tags which are allowed
strip_comments: Remove comments from data
strip_tags: Remove all tags from data
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
File details
Details for the file input_sanitizer-0.2.3-py3-none-any.whl.
File metadata
- Download URL: input_sanitizer-0.2.3-py3-none-any.whl
- Upload date:
- Size: 6.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.7.1 importlib_metadata/4.10.0 pkginfo/1.8.2 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.7.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 2845b8e3238e52452391be4d97a55e482b31c7f6b854a6f7458cc0a8d1584086 |
|
| MD5 | f840780866b9c9a7f03609174d68b0bf |
|
| BLAKE2b-256 | 5f08f9482ac148fbf9f874b4ad130e32cab6b9114114901aa9498b9055dd1132 |
