Thank you both for your replies. I think I'll go for using bleach to clean on input, and mark as safe on output.
I must say, however, that I'm surprised at how hard it is to find information about this topic. I would have thought that allowing some, but not all, html was a relatively common task, and that there would be a standard solution. On Jun 30, 6:08 pm, shacker <shac...@birdhouse.org> wrote: > On Jun 30, 12:00 am, Sam Lai <samuel....@gmail.com> wrote: > > > Nice find - I did pretty much the same thing, but using lxml.Cleaner. > > This seems more configurable; I'm probably going to change mine over > > to this instead. > > I needed to allow public rich text input on bucketlist.org so had to > sanitize input carefully, and used this approach: > > http://birdhouse.org/blog/2010/05/12/secure-user-input-with-django/ > > (part of which involves tinymce, but the back-end portion is > agnostic). > > ./s -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
