Cross-site scripting (XSS) defense

Lee Harr lee at
Fri Jun 16 23:52:12 CEST 2006

On 2006-06-16, johnzenger at <johnzenger at> wrote:
> Is there a module (or, better yet, sample code) that scrubs
> user-entered text to remove cross-site scripting attacks, while also
> allowing a small subset of HTML through?
> Contemplated application: a message board that allows people to use
><b>, <a href="">, <i> and so on, but does not allow any javascript,
> vbscript, or other nasties.

I use Strip-o-Gram:

It is used quite a bit in Zope, but I believe it
will also stand on its own.

More information about the Python-list mailing list