Is there a generic "form sanitizer" that I can use to ensure all html/scripting is stripped off the submitted form? form.clean()
doesn't seem to do any of that - html tags are all still in cleaned_data
. Or actually doing this all manually (and override the clean()
method for the form) is my only option?
strip_tags
actually removes the tags from the input, which may not be what you want.
To convert a string to a "safe string" with angle brackets, ampersands and quotes converted to the corresponding HTML entities, you can use the escape filter:
from django.utils.html import escape
message = escape(form.cleaned_data['message'])