Easily use bleach with Django models and templates
Project description
Bleach is a Python module that takes any HTML input, and returns valid, sanitised HTML that contains only an allowed subset of HTML tags, attributes and styles. django-bleach is a Django app that makes using bleach extremely easy.
Setup
Install django-bleach via pip:
pip install django-bleach
Add django-bleach to your INSTALLED_APPS:
INSTALLED_APPS = [ # ... 'django_bleach', # ... ]
Select some sensible defaults for the allowed tags, attributes and styles; and the behaviour when unknown tags are encountered. Each of these are optional, and default to using the bleach defaults. See the bleach documentation:
# Which HTML tags are allowed BLEACH_ALLOWED_TAGS = ['p', 'b', 'i', 'u', 'em', 'strong', 'a'] # Which HTML attributes are allowed BLEACH_ALLOWED_ATTRIBUTES = ['href', 'title', 'style'] # Which CSS properties are allowed in 'style' attributes (assuming # style is an allowed attribute) BLEACH_ALLOWED_STYLES = [ 'font-family', 'font-weight', 'text-decoration', 'font-variant'] # Strip unknown tags if True, replace with HTML escaped characters if # False BLEACH_STRIP_TAGS = True # Strip comments, or leave them in. BLEACH_STRIP_COMMENTS = False
Select the default widget for bleach fields. This defaults to django.forms.Textarea, but you will probably want to replace it with a WYSIWYG editor, or something similar:
# Use the CKEditorWidget for bleached HTML fields BLEACH_DEFAULT_WIDGET = 'wysiwyg.widgets.WysiwygWidget'
I use django-ckeditor in my projects, but what you use is up to you.
Usage
In your models
django-bleach provides three ways of creating bleached output. The simplest way of including user-editable HTML content that is automatically sanitised is by using the BleachField model field:
# in app/models.py from django import models from django_bleach.models import BleachField class Post(models.Model): title = models.CharField() content = BleachField() # ...
BleachField takes the following arguments, to customise the output of bleach. See the bleach documentation for their use:
allowed_tags
allowed_attributes
allowed_styles
strip_tags
strip_comments
In addition to the bleach-specific arguments, the BleachField model field accepts all of the normal field attributes. Behind the scenes, it is a TextField, and accepts all the same arguments as the default TextField does.
The BleachField model field makes use of the BleachField form field to do all of the work. It provides no sanitisation facilities itself. This is considered a bug, but a clean solution has not yet been implemented. Any pull requests fixing this will be gratefully applied. As long as the BleachField model field is only used with BleachField form fields, there will be no problem. If this is not the case, sanitised HTML can not be guaranteed.
In your forms
A BleachField form field is provided. This field sanitises HTML input from the user, and presents safe, clean HTML to your Django application. This is where most of the work is done.
In your templates
If you have a peice of content from somewhere that needs to be printed in a template, you can use the bleach filter:
{% load bleach_tags %} {{ some_unsafe_content|bleach }}
The filter takes no arguments. It uses the default settings defined in your application settings.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Hashes for mysociety-django-bleach-0.2.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 1f9bfe1c728f9e3a55c8be3e77004d6c689ce4484213b73e0efef1f7c3e6ee4a |
|
MD5 | 01d3dfe9d9994ddcb35448d40742235b |
|
BLAKE2b-256 | 85252306b8b1c35b5b4ea070f64e65f8425dca855fad12b7f3e082b0cbc591d4 |