I've added a new custom model field type HTMLTextField.
The only real difference between this field and a text field is that it runs a sanitizer prior to saving to the database. The sanitizer I'm using is the html_sanitizer, which itself seems to be built on mozilla's bleach. The main advantage of using this sanitizer over bleach is some minor Django integration that allows the defining of custom sanitation whitelists.
Tests are included but tests.test_models.test_lists.test_lists_html_fields is a pretty good example if you want to open this in shell and test for yourself.
The default sanitizer strips all elements except for ["a", "h1", "h2", "h3", "strong", "em", "p", "ul", "ol", "li", "br", "sub", "sup", "hr",] and all attributes from accepted elements except for {a: ("href", "name", "target", "title", "id", "rel")}
closes #199
I've added a new custom model field type
HTMLTextField
.The only real difference between this field and a text field is that it runs a sanitizer prior to saving to the database. The sanitizer I'm using is the html_sanitizer, which itself seems to be built on mozilla's bleach. The main advantage of using this sanitizer over bleach is some minor Django integration that allows the defining of custom sanitation whitelists.
Tests are included but
tests.test_models.test_lists.test_lists_html_fields
is a pretty good example if you want to open this in shell and test for yourself.The default sanitizer strips all elements except for
["a", "h1", "h2", "h3", "strong", "em", "p", "ul", "ol", "li", "br", "sub", "sup", "hr",]
and all attributes from accepted elements except for{a: ("href", "name", "target", "title", "id", "rel")}