nh3 clean doesn't include html, head or body tags even when included in ALLOWED_TAGS #32

barkhabol · 2023-12-11T11:59:01Z

While using nh3 library, we came across a use case, where HTML content is expected for a field, but we need to remove the content that can cause XSS attack. Using nh3.clean() directly on the input text doesn't give the expected result and a lot of useful data is getting trimmed ultimately modifying the html template input.

import nh3
text = '''
<!DOCTYPE html>
<html>
<head>
  <title>HTML Tutorial</title>
</head>
<body>
  <h1>This is a heading</h1>
  <p>This is a paragraph.</p>
</body>
</html>
'''

nh3.ALLOWED_TAGS.add('title')
nh3.ALLOWED_TAGS.add('head')
nh3.ALLOWED_TAGS.add('html')
nh3.ALLOWED_TAGS.add('div')
nh3.ALLOWED_TAGS.add('body')

print(nh3.clean(text,tags=nh3.ALLOWED_TAGS,strip_comments=False))

Output: 
<title>HTML Tutorial</title>
 <h1>This is a heading</h1>
 <p>This is a paragraph.</p>

We don't want to trim the html or head or body tags. Is there any limitation to nh3 library which does not allow these tags?

messense · 2023-12-13T06:55:20Z

Blocked on rust-ammonia/ammonia#183

messense added the upstream upstream ammonia issue label Dec 13, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

nh3 clean doesn't include html, head or body tags even when included in ALLOWED_TAGS #32

nh3 clean doesn't include html, head or body tags even when included in ALLOWED_TAGS #32

barkhabol commented Dec 11, 2023

messense commented Dec 13, 2023

nh3 clean doesn't include html, head or body tags even when included in ALLOWED_TAGS #32

nh3 clean doesn't include html, head or body tags even when included in ALLOWED_TAGS #32

Comments

barkhabol commented Dec 11, 2023

messense commented Dec 13, 2023