
Product
Introducing Socket Fix for Safe, Automated Dependency Upgrades
Automatically fix and test dependency updates with socket fix—a new CLI tool that turns CVE alerts into safe, automated upgrades.
A tool for removing malicious content from input data before saving data into database.
It takes input containing HTML with XSS scripts and returns valid HTML in the output.
It is a wrapper around Python's bleach
_ library to easily integrate it with Django framework and it implements whitelist based approach to remove harmful content.
Install input-sanitizer
via pip
::
pip install input-sanitizer
Add input-sanitizer
to your INSTALLED_APPS
:
.. code-block:: python
INSTALLED_APPS = [
# ...
'input_sanitizer',
# ...
]
Add default configurations for allowed tags, etc in settings.py
. These configurations are optional and will defaults to using the bleach
defaults. Refer to bleach
_ documentation for their use:
.. code-block:: python
# tags which are allowed
BLEACH_ALLOWED_TAGS = ["div", "section", "a", "i"]
# remove all tags from input
BLEACH_STRIP_TAGS = True
# remove comments, or allow them in
BLEACH_STRIP_COMMENTS = True
In Django Models
input-sanitizer
provides two custom model fields SanitizedCharField
and SanitizedTextField
to automatically remove malicious content from input before saving data into database, but keep in mind that it won't work with bulk update, bulk create, etc as these operations are done at the database level. You can still manually sanitize input data to use for bulk update, bulk create, etc operations.
.. code-block:: python
# in models.py
from django import models
from input_sanitizer import sanitized_models
class User(models.Model):
username = sanitized_models.SanitizedCharField()
info = sanitized_models.SanitizedTextField()
SanitizedCharField
and SanitizedTextField
may take following arguments to alter cleaning behaviour.
Please, refer to bleach
_ documentation for their use:
allowed_tags
: Tags which are allowedstrip_comments
: Remove comments from datastrip_tags
: Remove all tags from dataSanitizedCharField
is a extension of Django model's CharField and therefore, it will accept all normal CharField arguments.
SanitizedTextField
is a extension of Django model's TextField and therefore, it will accept all normal TextField arguments.
In Django Forms
SanitizedCharField
and SanitizedTextField
fields can be used to clean XSS content from form fields while validating and saving the form data.
.. code-block:: python
# in forms.py
from django import forms
from input_sanitizer import sanitized_forms
class User(forms.ModelForm):
username = sanitized_forms.SanitizedCharField()
info = sanitized_forms.SanitizedTextField()
SanitizedCharField
and SanitizedTextField
may take following arguments to alter cleaning behaviour.
Please, refer to bleach
_ documentation for their use:
allowed_tags
: Tags which are allowedstrip_comments
: Remove comments from datastrip_tags
: Remove all tags from dataSanitizedCharField
and SanitizedTextField
fields will return validation errors if these fields are required. You can provide following arguments to customize error messages. FIELD_ERROR
takes precedence over FIELD_NAME
while returning error message.
FIELD_ERROR
: Error messageFIELD_NAME
: Field nameSanitizedCharField
is a extension of Django form's CharField. It will accept all normal CharField arguments.
SanitizedTextField
is a extension of Django form's TextField. It will accept all normal TextField arguments.
In DRF Serializers
SanitizedCharField
and SanitizedTextField
fields can be used to clean XSS content from serializer fields while validating and saving the serializer data.
.. code-block:: python
# in serializers.py
from rest_framework import serializers
from input_sanitizer import sanitized_serializers
class User(serializers.ModelSerializer):
username = sanitized_serializers.SanitizedCharField()
info = sanitized_serializers.SanitizedTextField()
SanitizedCharField
and SanitizedTextField
may take following arguments to alter cleaning behaviour.
Please, refer to bleach
_ documentation for their use:
allowed_tags
: Tags which are allowedstrip_comments
: Remove comments from datastrip_tags
: Remove all tags from dataSanitizedCharField
and SanitizedTextField
fields will return validation errors if these fields are required. You can provide following arguments to customize error messages. FIELD_ERROR
takes precedence over FIELD_NAME
while returning error message.
FIELD_ERROR
: Error messageFIELD_NAME
: Field nameSanitizedCharField
is a extension of DRF serializer's CharField. It will accept all normal CharField arguments.
SanitizedTextField
is a extension of DRF serializer's TextField. It will accept all normal TextField arguments.
In Views
To manually sanitize data, you can use sanitize_data
function.
It can be used to sanitize data to be used for bulk update, bulk create, etc.
.. code-block:: python
from input_sanitizer import sanitizers
cleaned_data = sanitizers.sanitize_data(data, bleach_kwargs={})
bleach_kwargs
arguments are optional and will default to using the bleach
defaults.
You may pass following arguments to alter cleaned output as per your requirement.
allowed_tags
: Tags which are allowedstrip_comments
: Remove comments from datastrip_tags
: Remove all tags from data.. _bleach: https://bleach.readthedocs.io/en/latest/clean.html
FAQs
Sanitizes input data to prevent XSS i.e. cross site scripting attacks.
We found that input-sanitizer demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Automatically fix and test dependency updates with socket fix—a new CLI tool that turns CVE alerts into safe, automated upgrades.
Security News
CISA denies CVE funding issues amid backlash over a new CVE foundation formed by board members, raising concerns about transparency and program governance.
Product
We’re excited to announce a powerful new capability in Socket: historical data and enhanced analytics.