Sanitize course description HTML - Githubissues

mitodl / teachersportal

MIT ODL Teacher's Portal

0 stars 0 forks source link

Sanitize course description HTML #140

Open jamiefolsom opened 8 years ago

jamiefolsom commented 8 years ago

I propose that we do this in Python, not on the client in Javascript.

Reasoning:

Python tools are good, and JS ones not as much
With a large chunk of markup, client side processing could hurt page performance
HTML from the course object will be used only if there's no replacement content in the CMS, so we're going to be using the backend for description info anyhow.

Proposed solution:

Whitelist a small number of elements: p, h2 - h6, ul, li, img, a, and the smallest number of attributes we can.
Sanitize the HTML when it's fetched and "enhanced", with pricing information, etc.
Store the results in the CMS, and allow that to be edited/replaced by the instructor.

justinabrahms commented 8 years ago

https://pypi.python.org/pypi/bleach looks promising.