[python-uk] Favourite ways of scrubbing HTML/whitelisting specific HTML tags?

Menno Smits menno at freshfoo.com
Thu Feb 7 19:17:33 CET 2008


Hi Michael,

Michael Sparks wrote:
> Just a quick Q for people: what's your favourite way (preferably a library :) 
> of allowing a subset of HTML tags through? I can think of 1/2 dozen different 
> ways of doing this, but I'm sure there's a preferred approach for some...
> 
> Thanks in advance :-)

Whatever you go with, test it against the attacks described in the XSS 
Cheat Sheet[1]. If you're serious about XSS you should test against 
these approaches.

In the past I've written a tag and attribute filter built on the 
standard library HTMLParser. Of course this only works for well-formed 
HTML (which I had).

Regards,
Menno

[1] http://ha.ckers.org/xss.html


More information about the python-uk mailing list