I am creating an application that will process user submitted content. I would like users to be able to make their text content beautiful with basic html markup ie <i> <b> <br>. However, I want them not to use things like script tags. Django will automatically disable everything, so it will also disable all secure markup. I can disable this using:
{{ somevar|safe }} or {% autoescape off %}
However, it will also allow the use of all malicious script tags. Django provides a filterbreaks linebreaks tag that converts white space to br or p tags, while maintaining secure html:
{{ somevar|linebreaks }}
Unfortunately, I do not know any filters that allow the use of b or i tags.
Therefore, I am wondering if there is a reasonable solution to this problem. And if you propose a third-party library, it would be better to use the solution when saving the model or when rendering content.
UPDATE
In the end, I went with this sanitizer / scrubber / filter solution for Python. This last answer makes it possible to use the Beautiful Soup library to remove all unwanted html tags from user-submitted content. This can be done before saving the model, so it allows you to safely use the filter template {{ somevar|safe }} when rendering the page.
source share