django safe template filter customization

Question

i'm using a rich text editor for users comments reply. but i need to limit html tags which users type in text editor for avoiding xss attacks.

i know that safe template filter is best choice. but as a example i'd just accept some tags like <p>,<a>,<h3> not img,script,... . the problem is that safe filter accepts all of html tags.

i'm looking for some thing like this:

{{user.reply|safe:'<p>,<h3>,<a>'}}

which reply is client's richtext html tags. and safe flter just accepts p,a,h3 tags.

i,m using froala rich text editor and also i know to limit text editor options. but if user try to insert some <script> tag it can't undrestand.

how can i customize safe filter? or which filter is more appropriate for this job?

Answer 1

You should write custom filter for this

you can install and use BeautifulSoup

from bs4 import BeautifulSoup
from django import template

register = template.Library()

@register.filter(name='includeHtmlTags')
def includeHtmlTags(value, arg):
    include=arg.split(",")
    soup=BeautifulSoup(text, 'html.parser')
    return_value=''
    for tag in include:
        for i in soup.findAll(tag):
            return_value += i
    return return_value

In your template load {% load includeHtmlTags %} at top

and use like {{user.reply|includeHtmlTags:'p,h3,a'}}