Coder Social home page Coder Social logo

draftjs-sanitizer's Introduction

DraftJS Sanitizer

Sanitizes a DraftJS JSON format from a dict to allow saving. Allows safe dumping into a string in order to prevent injection of quotes and HTML entities.

Build Status Coverage Status Version

Supported versions Supported implementations

Installation

pip install draftjs-sanitizer

Usage

Remove known exploits

This removes any URLs that could be used for XSS attacks by linking raw javascript code.

from draftjs_sanitizer import clean_draft_js


clean_draft_js({
    "blocks": [
        {
            "key": "an6ci",
            "data": {},
            "text": "Get Saleor today!",
            "type": "unstyled",
            "depth": 0,
            "entityRanges": [
                {
                    "key": 0,
                    "length": 17,
                    "offset": 0
                }
            ],
            "inlineStyleRanges": []
        }
    ],
    "entityMap": {
        "0": {
            "data": {
                "url": "javascript:alert('Oopsie!');"
            },
            "type": "LINK",
            "mutability": "MUTABLE"
        }
    }
})

Dump JSON for HTML Usage

This allows to run it as a filter in order to prevent any injection or bypass when putting the JSON into HTML code.

from draftjs_sanitizer import to_string

dumped_json = to_string({"block": "</div><script>alert('Oopsie!');</script>"})

Example 1: attribute bypass

<div data-draft-js-json='{"block": "'<script>alert('Oopsie!');</script>"}'></div>

Example 2: bypass inner HTML

<div>
    {"block": "</div><script>alert('Oopsie!');</script>"}
</div>

Supported Checks

Type Entities Description
Javascript URL IMAGE, LINK Prevent injecting javascript through the javascript protocol into a URL.
Invalid URL IMAGE, LINK Removes any invalid URL from the JSON content.
Dangerous Characters any Removes any sensible character for HTML incorporation: ", ', <, >.

Development

./setup.py develop
pip install -r requirements_dev.txt

You can easily extend the behaviors through:

  • draftjs_sanitizer.encoder.DraftJSSafeEncoder
  • draftjs_sanitizer.sanitizer.DraftJSSanitizer

Dependencies

  • urllib3 for RFC 3986 parsing and validation of URLs.

draftjs-sanitizer's People

Stargazers

avatar avatar avatar

Watchers

avatar avatar

Forkers

aleph-works

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.