Python library to prevent XSS(cross site scripting attach) by removing harmful content from data.

Overview

A tool for removing malicious content from input data before saving data into database. It takes input containing HTML with XSS scripts and returns valid HTML in the output. It is a wrapper around Python's bleach library to easily integrate it with Django framework and it implements whitelist based approach to remove harmful content.

Setup

  1. Install input-sanitizer via pip:

    pip install input-sanitizer
    
  2. Add input-sanitizer to your INSTALLED_APPS:

    INSTALLED_APPS = [
        # ...
        'input_sanitizer',
        # ...
    ]
  3. Add default configurations for allowed tags, etc in settings.py. These configurations are optional and will defaults to using the bleach defaults. Refer to bleach documentation for their use:

    # tags which are allowed
    BLEACH_ALLOWED_TAGS = ["div", "section", "a", "i"]
    
    # remove all tags from input
    BLEACH_STRIP_TAGS = True
    
    # remove comments, or leave them in
    BLEACH_STRIP_COMMENTS = True

Usage

In Django Models

input-sanitizer provides two custom model fields SanitizedCharField and SanitizedTextField to automatically remove malicious content from input before saving data into database, but keep in mind that it won't work with bulk update, bulk create, etc as these operations are done at the database level. You can still manually sanitize input data to use for bulk update, bulk create, etc operations.

# in models.py
from django import models
from input_sanitizer import sanitized_models

class User(models.Model):
    username = sanitized_models.SanitizedCharField()
    info = sanitized_models.SanitizedTextField()

SanitizedCharField and SanitizedTextField may take following arguments to alter cleaning behaviour. Please, refer to bleach documentation for their use:

  • allowed_tags: Tags which are allowed
  • strip_comments: Remove comments from data
  • strip_tags: Remove all tags from data

SanitizedCharField is a extension of Django model's CharField and therefore, it will accept all normal CharField arguments.

SanitizedTextField is a extension of Django model's TextField and therefore, it will accept all normal TextField arguments.

In Django Forms

SanitizedCharField and SanitizedTextField fields can be used to clean XSS content from form fields while validating and saving the form data.

# in forms.py
from django import forms
from input_sanitizer import sanitized_forms

class User(forms.ModelForm):
    username = sanitized_forms.SanitizedCharField()
    info = sanitized_forms.SanitizedTextField()

SanitizedCharField and SanitizedTextField may take following arguments to alter cleaning behaviour. Please, refer to bleach documentation for their use:

  • allowed_tags: Tags which are allowed
  • strip_comments: Remove comments from data
  • strip_tags: Remove all tags from data

SanitizedCharField and SanitizedTextField fields will return validation errors if these fields are required. You can provide following arguments to customize error messages. f_name takes precedence over f_name while returning error message.

  • FIELD_ERROR: Error message
  • FIELD_NAME: Field name

SanitizedCharField is a extension of Django form's CharField. It will accept all normal CharField arguments.

SanitizedTextField is a extension of Django form's TextField. It will accept all normal TextField arguments.

In DRF Serializers

SanitizedCharField and SanitizedTextField fields can be used to clean XSS content from serializer fields while validating and saving the serializer data.

# in serializers.py
from rest_framework import serializers
from input_sanitizer import sanitized_serializers

class User(serializers.ModelSerializer):
    username = sanitized_serializers.SanitizedCharField()
    info = sanitized_serializers.SanitizedTextField()

SanitizedCharField and SanitizedTextField may take following arguments to alter cleaning behaviour. Please, refer to bleach documentation for their use:

  • allowed_tags: Tags which are allowed
  • strip_comments: Remove comments from data
  • strip_tags: Remove all tags from data

SanitizedCharField and SanitizedTextField fields will return validation errors if these fields are required. You can provide following arguments to customize error messages. f_name takes precedence over f_name while returning error message.

  • FIELD_ERROR: Error message
  • FIELD_NAME: Field name

SanitizedCharField is a extension of DRF serializer's CharField. It will accept all normal CharField arguments.

SanitizedTextField is a extension of DRF serializer's TextField. It will accept all normal TextField arguments.

In Views

To manually sanitize data, you can use sanitize_data function. It can be used to sanitize data to be used for bulk update, bulk create, etc.

from input_sanitizer import sanitizers
cleaned_data = sanitizers.sanitize_data(data, bleach_kwargs={})

bleach_kwargs arguments are optional and will default to using the bleach defaults. You may pass following arguments to alter cleaned output as per your requirement.

  • allowed_tags: Tags which are allowed
  • strip_comments: Remove comments from data
  • strip_tags: Remove all tags from data
Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

log4j-detect Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading The script

Víctor García 187 Jan 03, 2023
GRR Rapid Response: remote live forensics for incident response

GRR Rapid Response is an incident response framework focused on remote live forensics. Build Type Status Tests End-to-end Tests Windows Templates Linu

Google 4.3k Jan 05, 2023
CVE-2021-22205& GitLab CE/EE RCE

Vuln Impact An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files tha

Al1ex 213 Dec 30, 2022
Consolidating and extending hosts files from several well-curated sources. You can optionally pick extensions to block pornography, social media, and other categories.

Take Note! With the exception of issues and PRs regarding changes to hosts/data/StevenBlack/hosts, all other issues regarding the content of the produ

Steven Black 22.1k Jan 02, 2023
大宝剑-信息收集和资产梳理工具(红队、蓝队、企业组织架构、子域名、Web资产梳理、Web指纹识别、ICON_Hash资产匹配)

大宝剑-信息收集和资产梳理工具(红队、蓝队、企业组织架构、子域名、Web资产梳理、Web指纹识别、ICON_Hash资产匹配)

Wolf Group Security Team 835 Jan 05, 2023
A traceroute tool that also displays IP information

infotr A traceroute tool that also displays IP information. This tool has only been tested on Linux. Quick Start First, install this tool from PyPI. p

K4YT3X 10 Oct 29, 2022
PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager)

PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager) This script allows to check and exploit missing authentication checks in

chipik 82 Nov 09, 2022
This repo is about steps to create a effective custom wordlist in a few clicks/

Custom Wordlist This repo is about steps to take in order to create a effective custom wordlist in a few clicks. this comes handing in pentesting enga

2 Oct 08, 2022
com_media allowed paths that are not intended for image uploads to RCE

CVE-2021-23132 com_media allowed paths that are not intended for image uploads to RCE. CVE-2020-24597 Directory traversal in com_media to RCE Two CVEs

KIEN HOANG 67 Nov 09, 2022
IDA Frida Plugin for tracing something interesting.

IDAFrida A simple IDA plugin to generate FRIDA script. Edit template for functions or you can use the default template. Select functions you want to t

PandaOS 133 Dec 24, 2022
Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Known issues it will not work outside kali , i will update it

Hossam 867 Dec 22, 2022
Cookiecutter for creating open source Python packages

Cookiecutter for rapidly developing new open source Python packages. Best practices with all the modern bells and whistles included.

Wolt 177 Dec 22, 2022
The probability of having the password you want in the PassMaker is +90%!!

PasswordMaker Strong listing password Introduction The probability of having the password you want in the tool is +90%!! How to Install Open the termi

MasterBurnt 4 Sep 05, 2021
Example for the NFT 3D Collectibles using Blender Scripting (Python).

NFT Collectibles using Blender Python What is this? This project is to demonstrate for generating NFT Collectible Avatar-Styled images. For details, p

hideckies 48 Nov 26, 2022
GitLab CE/EE Preauth RCE using ExifTool

CVE-2021-22205 GitLab CE/EE Preauth RCE using ExifTool This project is for learning only, if someone's rights have been violated, please contact me to

3ND 164 Dec 10, 2022
Js File Scanner This is Js File Scanner

Js File Scanner This is Js File Scanner . Which are scan in js file and find juicy information Toke,Password Etc.

122 Dec 12, 2022
A honey token manager and alert system for AWS.

SpaceSiren SpaceSiren is a honey token manager and alert system for AWS. With this fully serverless application, you can create and manage honey token

287 Nov 09, 2022
Dark-Fb No Login 100% safe

Dark-Fb No Login 100% safe TERMUX • pkg install python2 && git -y • pip2 install requests mechanize tqdm • git clone https://github.com/BOT-033/Sensei

Bukan Hamkel 1 Dec 04, 2021
Open Source Tool - Cybersecurity Graph Database in Neo4j

GraphKer Open Source Tool - Cybersecurity Graph Database in Neo4j |G|r|a|p|h|K|e|r| { open source tool for a cybersecurity graph database in neo4j } W

Adamantios - Marios Berzovitis 27 Dec 06, 2022
Reverse engineered Parler API

Parler's unofficial API with all endpoints present in their iOS app as of 08/12/2020. For the most part undocumented, but the error responses are alre

393 Nov 26, 2022