Solution to the problem of XSS content filtering in Python Django development

Last Update:2017-07-02 Source: Internet

Author: User

Tags ldap xml attribute

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

From:http://stackoverflow.com/questions/699468/python-html-sanitizer-scrubber-filter

The following code can be used to filter the content into clean HTML content, indicating that the code from the above StackOverflow answer

Use lxml.html.clean ! It ' s VERY easy!

 from Import clean_html print clean_html (HTML)

<HTML> <Head>   <Scripttype= "Text/javascript"src= "Evil-site"></Script>   <Linkrel= "alternate"type= "Text/rss"src= "Evil-rss">   <style>Body{Background-image:URL (javascript:do_evil)}; Div{Color:expression (Evil)}; </style> </Head> <Bodyonload= "evil_function ()">    <!--I am interpreted for evil! -   <ahref= "javascript:evil_function ()">A link</a>   <ahref="#"onclick= "evil_function ()">Another link</a>   <Ponclick= "evil_function ()">A paragraph</P>   <Divstyle= "Display:none">Secret evil!</Div>   <Object>of evil!</Object>   <iframesrc= "Evil-site"></iframe>   <formAction= "Evil-site">Password:<inputtype= "Password"name= "Password">   </form>   <Blink>Annoying evil!</Blink>   <ahref= "Evil-site">Spam spam spam!</a>   <Imagesrc= "evil!"> </Body></HTML>

The result is:

<HTML>  <Body>    <Div>      <style>/*deleted*/</style>      <ahref="">A link</a>      <ahref="#">Another link</a>      <P>A paragraph</P>      <Div>Secret evil!</Div>of evil!      Password:annoying evil! <ahref= "Evil-site">Spam spam spam!</a>      <imgsrc= "evil!">    </Div>  </Body></HTML>

You can customize the elements, want to clean and whatnot.

On the issue of security filtering in Web development, quote owasp ESAPI (http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/index.html) Filter method Interface list for your reference:

Java.lang.String canonicalize (java.lang.String input)
This method was equivalent to calling
Java.lang.String canonicalize (java.lang.String input, Boolean strict)
This method was the equivalent to calling
Java.lang.String canonicalize (java.lang.String input, Boolean restrictmultiple, Boolean restrictmixed)
Canonicalization is simply the operation of reducing a possibly encoded string down to its simplest form.
Java.lang.String decodeforhtml (java.lang.String input)
Decodes HTML entities.
Byte[] DecodeFromBase64 (java.lang.String input)
Decode data encoded with BASE-64 encoding.
Java.lang.String decodefromurl (java.lang.String input)
Decode from URL.
Java.lang.String encodeForBase64 (byte[] input, Boolean wrap)
Encode for Base64.
Java.lang.String encodeforcss (java.lang.String input)
Encode data for use in cascading Style Sheets (CSS) content.
Java.lang.String Encodefordn (java.lang.String input)
Encode data for the use of an LDAP distinguished name.
Java.lang.String encodeforhtml (java.lang.String input)
Encode data for use in HTML using HTML entity encoding
Java.lang.String encodeforhtmlattribute (java.lang.String input)
Encode data for use in HTML attributes.
Java.lang.String encodeforjavascript (java.lang.String input)
Encode data for insertion inside a data value or function argument in JavaScript.
Java.lang.String encodeforldap (java.lang.String input)
Encode data for use in LDAP queries.
Java.lang.String Encodeforos (Codec Codec, java.lang.String input)
Encode for a operating system command shell according to the selected codec (appropriate codecs include the Windowscodec and Unixcodec).
Java.lang.String Encodeforsql (Codec Codec, java.lang.String input)
Encode input for use with a SQL query, according to the selected codec (appropriate codecs include the Mysqlcodec and Oracle CODEC).
Java.lang.String encodeforurl (java.lang.String input)
Encode for use in a URL.
Java.lang.String encodeforvbscript (java.lang.String input)
Encode data for insertion inside a data value in a Visual Basic script.
Java.lang.String encodeforxml (java.lang.String input)
Encode data for use in an XML element.
Java.lang.String encodeforxmlattribute (java.lang.String input)
Encode data for use with an XML attribute.
Java.lang.String Encodeforxpath (java.lang.String input)
Encode data for use with an XPath query.

Solution to the problem of XSS content filtering in Python Django development

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More