在提交的表单数据中消除HTML [英] Sanitizing HTML in submitted form data

问题描述

有没有一个通用的形式消毒剂，我可以用来确保所有的html /脚本被剥离提交的表单？ form.clean（）似乎没有做任何 - html标签都仍然在clean_data。或者实际上手动这样做（并覆盖表单的clean（）方法）是我唯一的选择？

Is there a generic "form sanitizer" that I can use to ensure all html/scripting is stripped off the submitted form? form.clean() doesn't seem to do any of that - html tags are all still in cleaned_data. Or actually doing this all manually (and override the clean() method for the form) is my only option?

推荐答案

Django来使用称为 striptags 的模板过滤器，您可以在模板：

Django comes with a template filter called striptags, which you can use in a template:

value|striptags

它使用 django.utils.html 中的函数 strip_tags 。您可以利用它来清理表单数据：

It uses the function strip_tags which lives in django.utils.html. You can utilize it also to clean your form data:

from django.utils.html import strip_tags
message = strip_tags(form.cleaned_data['message'])

这篇关于在提交的表单数据中消除HTML的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！