In the website on which I’m working, users may send messages to each other.

Question

0

Asked: June 10, 20262026-06-10T13:12:33+00:00 2026-06-10T13:12:33+00:00

In the website on which I’m working, users may send messages to each other.

0

In the website on which I’m working, users may send messages to each other. I want users to be able to use text-style tags such as < b > , < i > , and < u > to make text bold, italic and underlined respectively. But, in fact, I don’t want to be XSSed with those < script > tags. Or perhaps a < b > with a mouseover attribute.

What’s the easiest and the most secure way to do so?

I’m using django and jQuery if that matters.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-10T13:12:34+00:00

If you really want to use HTML tags, you should consider using Bleach.

>>> evil = "This <script>...</script> is partly <b>evil</b>"
>>> bleach.clean(evil)
u'This &lt;script&gt;...&lt;/script&gt; is partly <b>evil</b>'

With clean you can explicitly whitelist the tags you want to allow. By using strip you also strip unallowed tags instead of escaping them:

>>> evil = "This uses <i>i</i> and <b title='hovertext'>b</b> and <em>em</em>"
>>> bleach.clean(evil, tags=["b"], attributes=dict(), strip=True)
u'This uses i and <b>b</b> and em'

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

In the website on which I’m working, users may send messages to each other.

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply