A silly but useful hack for sanitizing untrusted HTML input in Django forms via the PHP HTML Purifier library
Python PHP
Switch branches/tags
Nothing to show
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.



A silly but useful hack for sanitizing untrusted HTML input in Django forms via PHP's HTML Purifier


Django (tested with 1.3)
Python 2.6+
PHP 5.0.5+ w/ CLI
HTML Purifier library - standard, lite, or PEAR distribution
NOTE: HTMLPurifier.auto.php should be in your PHP path.
A willingness to mix Python/Django with PHP


Add 'htmlpurifier' to INSTALLED_APPS in your project's settings.py.


django-htmlpurifier is ready to use out-of-the-box, assuming that you are happy with the PHP HTML Purifier's default settings.

Otherwise, django-htmlpurifier currently supports the following settings, definable in settings.py:
HTMLPURIFIER_SCRIPT_PATH: An absolute path to a custom PHP processing script (see below)


Using django-htmlpurifier is very simple.

Import the htmlpurifier module:
import htmlpurifier

Define a field that should be sanitized:
MyHtmlField = htmlpurifier.HTMLField()
or perhaps
MyHtmlField = htmlpurifier.HTMLField(widget=forms.TextArea)

HTMLField() is a subclass of Django's CharField.

If for some reason you don't want to deal with forms and just need a low-level function that HTML-purifies a string input, do:

Writing your own PHP processing script

django-htmlpurifier ships with a very basic PHP script that provides an interface to the PHP HTML Purifier library using its default settings. If the default settings do not float your boat, please refer to the HTML Purifier configuration reference.