debboutr
commented
4 years ago looks good! I like how you tucked it into the Field, I might have just cleaned the string in the serializer. Much better this way!
Closed michael-barbour closed 4 years ago
debboutr
commented
4 years ago looks good! I like how you tucked it into the Field, I might have just cleaned the string in the serializer. Much better this way!
closes #199
I've added a new custom model field type
HTMLTextField.The only real difference between this field and a text field is that it runs a sanitizer prior to saving to the database. The sanitizer I'm using is the html_sanitizer, which itself seems to be built on mozilla's bleach. The main advantage of using this sanitizer over bleach is some minor Django integration that allows the defining of custom sanitation whitelists.
Tests are included but
tests.test_models.test_lists.test_lists_html_fieldsis a pretty good example if you want to open this in shell and test for yourself.The default sanitizer strips all elements except for
["a", "h1", "h2", "h3", "strong", "em", "p", "ul", "ol", "li", "br", "sub", "sup", "hr",]and all attributes from accepted elements except for{a: ("href", "name", "target", "title", "id", "rel")}