Sanitize HTML filter

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
from BeautifulSoup import BeautifulSoup, Comment
register = template.Library()


def sanitize_html(value):
    valid_tags = 'p i strong b u a h1 h2 h3 pre br img'.split()
    valid_attrs = 'href src'.split()
    soup = BeautifulSoup(value)
    for comment in soup.findAll(
        text=lambda text: isinstance(text, Comment)):
        comment.extract()
    for tag in soup.findAll(True):
        if tag.name not in valid_tags:
            tag.hidden = True
        tag.attrs = [(attr, val) for attr, val in tag.attrs
                     if attr in valid_attrs]
    return soup.renderContents().decode('utf8').replace('javascript:', '')

register.filter('santize', sanitize_html)

Comments

drg006 (on May 15, 2007):

This filter does not prevent case "insensitive XSS attack vector" and "embedded tab to break up the cross site scripting attack" documented here: http://ha.ckers.org/xss.html

#

chrominance (on July 30, 2007):

Might want to try changing the 'javascript' regex in the second-to-last line with this regex instead: 

re.compile('j[\s]*(&#x.{1,7})?a[\s]*(&#x.{1,7})?v[\s]*(&#x.{1,7})?a[\s]*(&#x.{1,7})?
s[\s]*(&#x.{1,7})?c[\s]*(&#x.{1,7})?r[\s]*(&#x.{1,7})?i[\s]*(&#x.{1,7})?p[\s]*(&#x.{1,7})?t', re.IGNORECASE)

(all on one line, of course)

It's long and unwieldy but I think it catches the above issues, and then some (embedded entity tabs/linebreaks, for example).

#

(Forgotten your password?)

You may use Markdown syntax here, but raw HTML will be removed.