Solution to the problem of XSS content filtering in Python Django development

From:http://stackoverflow.com/questions/699468/python-html-sanitizer-scrubber-filter

The following code can be used to filter the content into clean HTML content, indicating that the code from the above StackOverflow answer

Use lxml.html.clean ! It ' s VERY easy!

 from Import clean_html print clean_html (HTML)

<HTML> <Head>   <Scripttype= "Text/javascript"src= "Evil-site"></Script>   <Linkrel= "alternate"type= "Text/rss"src= "Evil-rss">   <style>Body{Background-image:URL (javascript:do_evil)}; Div{Color:expression (Evil)}; </style> </Head> <Bodyonload= "evil_function ()">    <!--I am interpreted for evil! -   <ahref= "javascript:evil_function ()">A link</a>   <ahref="#"onclick= "evil_function ()">Another link</a>   <Ponclick= "evil_function ()">A paragraph</P>   <Divstyle= "Display:none">Secret evil!</Div>   <Object>of evil!</Object>   <iframesrc= "Evil-site"></iframe>   <formAction= "Evil-site">Password:<inputtype= "Password"name= "Password">   </form>   <Blink>Annoying evil!</Blink>   <ahref= "Evil-site">Spam spam spam!</a>   <Imagesrc= "evil!"> </Body></HTML>

The result is:

<HTML>  <Body>    <Div>      <style>/*deleted*/</style>      <ahref="">A link</a>      <ahref="#">Another link</a>      <P>A paragraph</P>      <Div>Secret evil!</Div>of evil!      Password:annoying evil! <ahref= "Evil-site">Spam spam spam!</a>      <imgsrc= "evil!">    </Div>  </Body></HTML>

You can customize the elements, want to clean and whatnot.

On the issue of security filtering in Web development, quote owasp ESAPI (http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/index.html) Filter method Interface list for your reference:

Java.lang.String canonicalize (java.lang.String input)
This method was equivalent to calling
Java.lang.String canonicalize (java.lang.String input, Boolean strict)
This method was the equivalent to calling
Java.lang.String canonicalize (java.lang.String input, Boolean restrictmultiple, Boolean restrictmixed)
Canonicalization is simply the operation of reducing a possibly encoded string down to its simplest form.
Java.lang.String decodeforhtml (java.lang.String input)
Decodes HTML entities.
Byte[] DecodeFromBase64 (java.lang.String input)
Decode data encoded with BASE-64 encoding.
Java.lang.String decodefromurl (java.lang.String input)
Decode from URL.
Java.lang.String encodeForBase64 (byte[] input, Boolean wrap)
Encode for Base64.
Java.lang.String encodeforcss (java.lang.String input)
Encode data for use in cascading Style Sheets (CSS) content.
Java.lang.String Encodefordn (java.lang.String input)
Encode data for the use of an LDAP distinguished name.
Java.lang.String encodeforhtml (java.lang.String input)
Encode data for use in HTML using HTML entity encoding
Java.lang.String encodeforhtmlattribute (java.lang.String input)
Encode data for use in HTML attributes.
Java.lang.String encodeforjavascript (java.lang.String input)
Encode data for insertion inside a data value or function argument in JavaScript.
Java.lang.String encodeforldap (java.lang.String input)
Encode data for use in LDAP queries.
Java.lang.String Encodeforos (Codec Codec, java.lang.String input)
Encode for a operating system command shell according to the selected codec (appropriate codecs include the Windowscodec and Unixcodec).
Java.lang.String Encodeforsql (Codec Codec, java.lang.String input)
Encode input for use with a SQL query, according to the selected codec (appropriate codecs include the Mysqlcodec and Oracle CODEC).
Java.lang.String encodeforurl (java.lang.String input)
Encode for use in a URL.
Java.lang.String encodeforvbscript (java.lang.String input)
Encode data for insertion inside a data value in a Visual Basic script.
Java.lang.String encodeforxml (java.lang.String input)
Encode data for use in an XML element.
Java.lang.String encodeforxmlattribute (java.lang.String input)
Encode data for use with an XML attribute.
Java.lang.String Encodeforxpath (java.lang.String input)
Encode data for use with an XPath query.

Solution to the problem of XSS content filtering in Python Django development