1

I'm trying to find something that will return an exception upon finding anything that even remotely looks like HTML or Javascript. I've figured out how to do it for individual views, but it's not a scalable solution, and ultimately I need to prevent code from being saved to the database no matter what view gets targeted by the injection attack.

Here is the functionality I'm looking for.

ILLEGAL_CHARS = '<>[]{}():;,'.split() 

# bunch of code in between

for value in [company_name, url, status, information, lt_type, company_source]:
    if any(char in value for char in ILLEGAL_CHARS):
        raise Exception(f"You passed one of several illegal characters: {ILLEGAL_CHARS}")

I'm using django rest framework so I have to handle it on the backend. Thanks.

IronMeerkat
  • 11
  • 1

1 Answers1

0

actually you don't nead to sanitize any user input because when you show them int the template the jinja {{object}} will make sure that no html or java script will be executed until you mark them as safe {{object|safe}} but if you want want not to save them in database that might help Sanitizing HTML in submitted form data

seif
  • 285
  • 1
  • 8
  • I'm using REST, Django doesn't render the HTMLs. Do you by any chance know of a way to clean any queries before they make it to the database? Thanks :) – IronMeerkat Mar 22 '21 at 13:52
  • did you read the solutions in the link provided above ? the escape and strip_tags functions – seif Mar 22 '21 at 14:00