Cross-site scripting (XSS) defense

Lee Harr lee at example.com
Fri Jun 16 23:52:12 CEST 2006


On 2006-06-16, johnzenger at gmail.com <johnzenger at gmail.com> wrote:
> Is there a module (or, better yet, sample code) that scrubs
> user-entered text to remove cross-site scripting attacks, while also
> allowing a small subset of HTML through?
>
> Contemplated application: a message board that allows people to use
><b>, <a href="">, <i> and so on, but does not allow any javascript,
> vbscript, or other nasties.
>


I use Strip-o-Gram:
http://www.zope.org/Members/chrisw/StripOGram

It is used quite a bit in Zope, but I believe it
will also stand on its own.



More information about the Python-list mailing list