I am currently using django-ckeditor to allow users to enter a rich description for their profile.
However, this opens the door to malicious users that will try to do XSS and other code injection.
I was wondering what would be the best way to go about this?
I looked at Python HTML sanitizer / scrubber / filter, but it seems that these solutions get rid of attributes such as “style=”, which totally contradict the usage of ckeditor to have, for example, coloured text, or other stuff that depend on these attributes.
Should I use another tool instead of ckeditor? Or what can I do?
My main goal is to allow the user to show pictures, coloured text, etc in their “profile”
You should decide and write a “whitelist” of what is allowed to post. Then, parse posted data thoroughly and clean up everything what is not in that whitelist. If it is some style – parse style attribute and remove everything except whitelisted stuff.
You can do it with old good BeautifulSoup, for example.
Surely, don’t whitelist
<script>tags oronSOMETHINGhandlers – they usually bring more pain than the gain.