{"id":13491368,"url":"https://github.com/ui/django-html_sanitizer","last_synced_at":"2025-03-28T08:33:04.667Z","repository":{"id":2859781,"uuid":"3864566","full_name":"ui/django-html_sanitizer","owner":"ui","description":"A set of HTML input sanitization or cleaning utilities for django models, forms and templates","archived":false,"fork":false,"pushed_at":"2022-08-23T11:36:05.000Z","size":31,"stargazers_count":64,"open_issues_count":8,"forks_count":25,"subscribers_count":8,"default_branch":"master","last_synced_at":"2024-05-03T00:56:23.825Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ui.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2012-03-29T09:32:13.000Z","updated_at":"2024-04-16T22:06:01.000Z","dependencies_parsed_at":"2022-07-19T00:47:23.235Z","dependency_job_id":null,"html_url":"https://github.com/ui/django-html_sanitizer","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ui%2Fdjango-html_sanitizer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ui%2Fdjango-html_sanitizer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ui%2Fdjango-html_sanitizer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ui%2Fdjango-html_sanitizer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ui","download_url":"https://codeload.github.com/ui/django-html_sanitizer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245996558,"owners_count":20707269,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T19:00:56.232Z","updated_at":"2025-03-28T08:33:04.368Z","avatar_url":"https://github.com/ui.png","language":"Python","readme":"=====================\nDjango HTML Sanitizer\n=====================\n\nDjango HTML Sanitizer provides a set of utilities to easily sanitize/escape/clean\nHTML inputs in django. This app is built on top of `bleach \u003chttp://github.com/jsocol/bleach\u003e`_,\nthe excellent Python HTML sanitizer.\n\n\nDependencies\n============\n\n- `django \u003chttp://djangoproject.com/\u003e`_: http://djangoproject.com/\n- `bleach \u003chttp://github.com/jsocol/bleach\u003e`_: http://github.com/jsocol/bleach\n\n\nInstallation\n============\n\nYou'll first need to install the package (or download manually from\n`pypi \u003chttp://pypi.python.org/pypi/django-html_sanitizer\u003e`_)::\n    \n    pip install django-html_sanitizer\n\nAnd then add ``sanitizer`` to your INSTALLED_APPS in django's ``settings.py``::\n    \n    INSTALLED_APPS = (\n        # other apps\n        \"sanitizer\",\n    )\n\n\nModel Usage\n===========\n\nSimilar to bleach, django sanitizer is a whitelist (only allows specified tags \nand attributes) based HTML sanitizer. Django sanitizer provides two model fields\nthat automatically sanitizes text values; ``SanitizedCharField`` and \n``SanitizedTextField``.\n\nThese fields accept extra arguments:\n\n* allowed_tags: a list of allowed HTML tags\n* allowed_attributes: a list of allowed HTML attributes, or a dictionary of\n  tag keys with atttribute list for each key\n* allowed_styles: a list of allowed styles if \"style\" is one of the allowed \n  attributes\n* strip: a boolean indicating whether offending tags/attributes should be escaped or stripped\n\nHere's how to use it in django models::\n    \n    from django.db import models\n    from sanitizer.models import SanitizedCharField, SanitizedTextField\n\n    class MyModel(models.Model):\n        # Allow only \u003ca\u003e, \u003cp\u003e, \u003cimg\u003e tags and \"href\" and \"src\" attributes\n        foo = SanitizedCharField(max_length=255, allowed_tags=['a', 'p', 'img'], \n                                 allowed_attributes=['href', 'src'], strip=False)\n        bar = SanitizedTextField(max_length=255, allowed_tags=['a', 'p', 'img'], \n                                 allowed_attributes=['href', 'src'], strip=False)\n        foo2 = SanitizedCharField(max_length=255, allowed_tags=['a', 'p', 'img'], \n                                 allowed_attributes={'img':['src', 'style']}, \n                                 allowed_styles=['width', 'height'], strip=False)\n\n\nForm Usage\n==========\n\nUsing django HTML sanitizer in django forms is very similar to model usage::\n    \n    from django import forms\n    from sanitizer.forms import SanitizedCharField\n\n    class MyForm(forms.Form):\n        # Allow only \u003ca\u003e, \u003cp\u003e, \u003cimg\u003e tags and \"href\" and \"src\" attributes\n        foo = SanitizedCharField(max_length=255, allowed_tags=['a', 'p', 'img'], \n                                 allowed_attributes=['href', 'src'], strip=False)\n        bar = SanitizedCharField(max_length=255, allowed_tags=['a', 'p', 'img'], \n                                 allowed_attributes=['href', 'src'], strip=False, widget=forms.Textarea)\n        foo2 = SanitizedCharField(max_length=255, allowed_tags=['a', 'p', 'img'], \n                                 allowed_attributes={'img':['src', 'style']}, \n                                 allowed_styles=['width', 'height'], strip=False)\n\n\nTemplate Usage\n==============\n\nDjango sanitizer provides a few differents ways of cleaning HTML in templates.\n\n``escape_html`` Template Tag\n----------------------------\n\nExample usage::\n    \n    {% load sanitizer %}\n    {% escape_html post.content \"a, p, img\" \"href, src, style\" \"width\"%}\n\nAssuming ``post.content`` contains the string\n'\u003ca href =\"#\" style=\"width:200px; height=\"400px\"\u003eExample\u003c/a\u003e\u003cscript\u003ealert(\"x\")\u003c/script\u003e', the above tag will\noutput::\n\n    '\u003ca href =\"#\" style=\"width:200px;\"\u003eExample\u003c/a\u003e\u0026lt;script\u0026gt;alert(\"x\")\u0026lt;/script\u0026gt;'\n\nOn django 1.4 you could also use keyword arguments::\n\n    {% escape_html '\u003ca href=\"\"\u003ebar\u003c/a\u003e' allowed_tags=\"a,img\" allowed_attributes=\"href,src\" allowed_styles=\"width\" %}\n\n\n``strip_html`` Template Tag\n---------------------------\n\nExample usage::\n    \n    {% load sanitizer %}\n    {% strip_html post.content \"a, p, img\" \"href, src\" %}\n\nIf ``post.content`` contains the string\n'\u003ca href =\"#\"\u003eExample\u003c/a\u003e\u003cscript\u003ealert(\"x\")\u003c/script\u003e', this will give you::\n\n    '\u003ca href =\"#\"\u003eExample\u003c/a\u003ealert(\"x\")'\n\n\n``escape_html`` Filter\n----------------------\n\nEscapes HTML tags from string based on settings. To use this filter you need to\nput these variables on settings.py:\n\n* ``SANITIZER_ALLOWED_TAGS`` - a list of allowed tags (defaults to an empty list)\n* ``SANITIZER_ALLOWED_ATTRIBUTES`` - a list of allowed attributes (defaults to an empty list)\n* ``SANITIZER_ALLOWED_STYLES`` - a list of allowed styles if the style attribute is set (defaults to an empty list)\n\nFor example if we have ``SANITIZER_ALLOWED_TAGS = ['a']``, \n``SANITIZER_ALLOWED_ATTRIBUTES = ['href']``, \n``SANITIZER_ALLOWED_STYLES = ['width']`` in settings.py, doing::\n    \n    {% load sanitizer %}\n    {{ post.content|escape_html }}\n\nIf ``post.content`` contains the string\n'\u003ca href =\"#\" style=\"width:200px; height:400px\"\u003eExample\u003c/a\u003e\u003cscript\u003ealert(\"x\")\u003c/script\u003e', it will give you::\n\n    '\u003ca href =\"#\" style=\"width=200px;\"\u003eExample\u003c/a\u003e\u0026lt;script\u0026gt;alert(\"x\")\u0026lt;/script\u0026gt;'\n\n\n``strip_html`` Filter\n---------------------\n\nSimilar to ``escape_html`` filter, except it strips out offending HTML tags.\n\nFor example if we have ``SANITIZER_ALLOWED_TAGS = ['a']``, \n``SANITIZER_ALLOWED_ATTRIBUTES = ['href']`` in settings.py, doing::\n    \n    {% load sanitizer %}\n    {{ post.content|strip_html }}\n\nIf ``post.content`` contains the string\n'\u003ca href =\"#\"\u003eExample\u003c/a\u003e\u003cscript\u003ealert(\"x\")\u003c/script\u003e', we will get::\n\n    '\u003ca href =\"#\"\u003eExample\u003c/a\u003ealert(\"x\")'\n\n\n\nChangelog\n=========\n\nVersion 0.1.5\n-------------\n\n* Fixes for smart_unicode and basestring (python 3.x support)\n\nVersion 0.1.4\n-------------\n\n* ``CharField``, ``TextField``, ``strip_html`` and ``escape_html`` now support\n  ``allowed_styles`` (thanks `cltrudeau \u003chttps://github.com/cltrudeau)\u003e`_, \n* Added an example of template tag usage using kwargs now that Django 1.4 is out\n\nVersion 0.1.2\n-------------\n\n* ``allowed_tags`` and ``allowed_attributes`` in CharField and TextField now default to []\n\n","funding_links":[],"categories":["Libs"],"sub_categories":["Other"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fui%2Fdjango-html_sanitizer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fui%2Fdjango-html_sanitizer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fui%2Fdjango-html_sanitizer/lists"}