Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

draftjs-sanitizer

Package Overview
Dependencies
Maintainers
1
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

draftjs-sanitizer

Convert basic HTML into DraftJS JSON format.

  • 1.0.0
  • PyPI
  • Socket score
Maintainers
1

DraftJS Sanitizer

Sanitizes a DraftJS JSON format from a dict to allow saving. Allows safe dumping into a string in order to prevent injection of quotes and HTML entities.

Build Status Coverage Status Version

Supported versions Supported implementations

Installation

pip install draftjs-sanitizer

Usage

Remove known exploits

This removes any URLs that could be used for XSS attacks by linking raw javascript code.

from draftjs_sanitizer import clean_draft_js


clean_draft_js({
    "blocks": [
        {
            "key": "an6ci",
            "data": {},
            "text": "Get Saleor today!",
            "type": "unstyled",
            "depth": 0,
            "entityRanges": [
                {
                    "key": 0,
                    "length": 17,
                    "offset": 0
                }
            ],
            "inlineStyleRanges": []
        }
    ],
    "entityMap": {
        "0": {
            "data": {
                "url": "javascript:alert('Oopsie!');"
            },
            "type": "LINK",
            "mutability": "MUTABLE"
        }
    }
})

Dump JSON for HTML Usage

This allows to run it as a filter in order to prevent any injection or bypass when putting the JSON into HTML code.

from draftjs_sanitizer import to_string

dumped_json = to_string({"block": "</div><script>alert('Oopsie!');</script>"})
Example 1: attribute bypass
<div data-draft-js-json='{"block": "'<script>alert('Oopsie!');</script>"}'></div>
Example 2: bypass inner HTML
<div>
    {"block": "</div><script>alert('Oopsie!');</script>"}
</div>

Supported Checks

TypeEntitiesDescription
Javascript URLIMAGE, LINKPrevent injecting javascript through the javascript protocol into a URL.
Invalid URLIMAGE, LINKRemoves any invalid URL from the JSON content.
Dangerous CharactersanyRemoves any sensible character for HTML incorporation: ", ', <, >.

Development

./setup.py develop
pip install -r requirements_dev.txt

You can easily extend the behaviors through:

  • draftjs_sanitizer.encoder.DraftJSSafeEncoder
  • draftjs_sanitizer.sanitizer.DraftJSSanitizer

Dependencies

  • urllib3 for RFC 3986 parsing and validation of URLs.

FAQs

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Fluent Assertions Faces Backlash After Abandoning Open Source Licensing

Security News

Fluent Assertions Faces Backlash After Abandoning Open Source Licensing

Fluent Assertions is facing backlash after dropping the Apache license for a commercial model, leaving users blindsided and questioning contributor rights.

By Sarah Gooding  -  Jan 18, 2025
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc