A silly but useful hack for sanitizing untrusted HTML input in Django forms via PHP's HTML Purifier
Django (tested with 1.3)
PHP 5.0.5+ w/ CLI
HTML Purifier library - standard, lite, or PEAR distribution
HTMLPurifier.auto.php should be in your PHP path.
A willingness to mix Python/Django with PHP
Add 'htmlpurifier' to
INSTALLED_APPS in your project's settings.py.
django-htmlpurifier is ready to use out-of-the-box, assuming that you are happy with the PHP HTML Purifier's default settings.
Otherwise, django-htmlpurifier currently supports the following settings, definable in settings.py:
HTMLPURIFIER_SCRIPT_PATH: An absolute path to a custom PHP processing script (see below)
Using django-htmlpurifier is very simple.
Import the htmlpurifier module:
Define a field that should be sanitized:
MyHtmlField = htmlpurifier.HTMLField()
MyHtmlField = htmlpurifier.HTMLField(widget=forms.TextArea)
HTMLField() is a subclass of Django's CharField.
If for some reason you don't want to deal with forms and just need a low-level function that HTML-purifies a string input, do:
Writing your own PHP processing script
django-htmlpurifier ships with a very basic PHP script that provides an interface to the PHP HTML Purifier library using its default settings. If the default settings do not float your boat, please refer to the HTML Purifier configuration reference.