Skip to main content

Sanitizes input data to prevent XSS i.e. cross site scripting attacks.

Project description

A tool for removing malicious content from input data before saving data into database. It takes input containing HTML with XSS scripts and returns valid HTML in the output. It is a wrapper around Python’s bleach library to easily integrate it with Django framework and it implements whitelist based approach to remove harmful content.

Setup

  1. Install input-sanitizer via pip:

    pip install input-sanitizer
  2. Add input-sanitizer to your INSTALLED_APPS:

    INSTALLED_APPS = [
        # ...
        'input_sanitizer',
        # ...
    ]
  3. Add default configurations for allowed tags, etc in settings.py. These configurations are optional and will defaults to using the bleach defaults. Refer to bleach documentation for their use:

    # tags which are allowed
    BLEACH_ALLOWED_TAGS = ["div", "section", "a", "i"]
    
    # remove all tags from input
    BLEACH_STRIP_TAGS = True
    
    
    # remove comments from input
    BLEACH_STRIP_TAGS = True
    
    # Strip comments, or leave them in.
    BLEACH_STRIP_COMMENTS = True

Usage

In Django Models

input-sanitizer provides two custom model fields SanitizedCharField and SanitizedTextField to automatically remove malicious content from input before saving data into database, but keep in mind that it won’t work with bulk update, bulk create, etc as these operations are done at the database level. You can still manually sanitize input data to use for bulk update, bulk create, etc operations.

# in models.py
from django import models
from input_sanitizer import sanitized_models

class User(models.Model):
    username = sanitized_models.SanitizedCharField()
    info = sanitized_models.SanitizedTextField()

SanitizedCharField and SanitizedTextField may take following arguments to alter cleaning behaviour. Please, refer bleach documentation for their use:

  • allowed_tags

  • strip_comments

  • strip_tags

SanitizedCharField is a extension of Django model’s CharField and therefore, it will accept all normal CharField arguments.

SanitizedTextField is a extension of Django model’s TextField and therefore, it will accept all normal TextField arguments.

In Django Forms

SanitizedCharField and SanitizedTextField fields can be used to clean XSS content from form fields while validating and saving the form data.

# in forms.py
from django import forms
from input_sanitizer import sanitized_forms

class User(forms.ModelForm):
    username = sanitized_forms.SanitizedCharField()
    info = sanitized_forms.SanitizedTextField()

SanitizedCharField and SanitizedTextField may take following arguments to alter cleaning behaviour. Please, refer bleach documentation for their use:

  • allowed_tags

  • strip_comments

  • strip_tags

SanitizedCharField and SanitizedTextField fields will return validation errors if these fields are required. You can provide following arguments to customize error messages. f_name takes precedence over f_name while returning error message.

  • f_error: Error message

  • f_name: Field name

SanitizedCharField is a extension of Django form’s CharField. It will accept all normal CharField arguments.

SanitizedTextField is a extension of Django form’s TextField. It will accept all normal TextField arguments.

In DRF Serializers

SanitizedCharField and SanitizedTextField fields can be used to clean XSS content from serializer fields while validating and saving the serializer data.

# in serializers.py
from rest_framework import serializers
from input_sanitizer import sanitized_serializers

class User(serializers.ModelSerializer):
    username = sanitized_serializers.SanitizedCharField()
    info = sanitized_serializers.SanitizedTextField()

SanitizedCharField and SanitizedTextField may take following arguments to alter cleaning behaviour. Please, refer bleach documentation for their use:

  • allowed_tags

  • strip_comments

  • strip_tags

SanitizedCharField and SanitizedTextField fields will return validation errors if these fields are required. You can provide following arguments to customize error messages. f_name takes precedence over f_name while returning error message.

  • f_error: Error message

  • f_name: Field name

SanitizedCharField is a extension of DRF serializer’s CharField. It will accept all normal CharField arguments.

SanitizedTextField is a extension of DRF serializer’s TextField. It will accept all normal TextField arguments.

In Views

To manually sanitize data, you can use sanitize_data function. It can be used to sanitize data to be used for bulk update, bulk create, etc.

from input_sanitizer import sanitizers
cleaned_data = sanitizers.sanitize_data(data, bleach_kwargs={})

bleach_kwargs arguments are optional and will default to using the bleach defaults. You may pass following arguments to alter cleaned output as per your requirement.

  • allowed_tags

  • strip_comments

  • strip_tags

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

input_sanitizer-0.2.0-py3-none-any.whl (6.0 kB view details)

Uploaded Python 3

File details

Details for the file input_sanitizer-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: input_sanitizer-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 6.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.7.1 importlib_metadata/4.10.0 pkginfo/1.8.2 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.7.5

File hashes

Hashes for input_sanitizer-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 cff5bf444e724b3fe31022927f2ddfe32a51f87764d2c84ed2d481932d372aa2
MD5 52355c52dd99b71b5239e7f83ee0efce
BLAKE2b-256 41f7cf16f7e4a688d2592facec08f6859ed58c6af75a770b9101e9d70582567e

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page