Sanitizing HTML in submitted form data


Question

Is there a generic "form sanitizer" that I can use to ensure all html/scripting is stripped off the submitted form? form.clean() doesn't seem to do any of that - html tags are all still in cleaned_data. Or actually doing this all manually (and override the clean() method for the form) is my only option?

1
29
2/21/2013 1:29:04 PM

Accepted Answer

Django comes with a template filter called striptags, which you can use in a template:

value|striptags

It uses the function strip_tags which lives in django.utils.html. You can utilize it also to clean your form data:

from django.utils.html import strip_tags
message = strip_tags(form.cleaned_data['message'])
29
4/12/2011 10:03:26 PM

strip_tags actually removes the tags from the input, which may not be what you want.

To convert a string to a "safe string" with angle brackets, ampersands and quotes converted to the corresponding HTML entities, you can use the escape filter:

from django.utils.html import escape
message = escape(form.cleaned_data['message'])

Licensed under: CC-BY-SA with attribution
Not affiliated with: Stack Overflow
Icon