Sanitizing HTML in submitted form data

python django forms sanitization
abolotnov picture abolotnov · Apr 12, 2011 · Viewed 22k times · Source

Is there a generic "form sanitizer" that I can use to ensure all html/scripting is stripped off the submitted form? form.clean() doesn't seem to do any of that - html tags are all still in cleaned_data. Or actually doing this all manually (and override the clean() method for the form) is my only option?

Answer

simao picture simao · Aug 23, 2011

strip_tags actually removes the tags from the input, which may not be what you want.

To convert a string to a "safe string" with angle brackets, ampersands and quotes converted to the corresponding HTML entities, you can use the escape filter:

from django.utils.html import escape
message = escape(form.cleaned_data['message'])

Related questions

Proper way to handle multiple forms on one page in Django

I have a template page expecting two forms. If I just use one form, things are fine as in this typical example: if request.method == 'POST': form = AuthorForm(request.POST,) if form.is_valid(): form.save() # do something. else: form = …

Read More
Django: How can I create a multiple select form?

I'm beginner in Django/Python and I need to create a multiple select form. I know it's easy but I can't find any example. I know how to create a CharField with a widget but I get confused of all …

Read More
Django required field in model form

I have a form where a couple of fields are coming out as required when I don't want them too. Here is the form from models.py class CircuitForm(ModelForm): class Meta: model = Circuit exclude = ('lastPaged',) def __init__(self, *args, **…

Read More