Python library to prevent XSS(cross site scripting attach) by removing harmful content from data.

Overview

A tool for removing malicious content from input data before saving data into database. It takes input containing HTML with XSS scripts and returns valid HTML in the output. It is a wrapper around Python's bleach library to easily integrate it with Django framework and it implements whitelist based approach to remove harmful content.

Setup

  1. Install input-sanitizer via pip:

    pip install input-sanitizer
    
  2. Add input-sanitizer to your INSTALLED_APPS:

    INSTALLED_APPS = [
        # ...
        'input_sanitizer',
        # ...
    ]
  3. Add default configurations for allowed tags, etc in settings.py. These configurations are optional and will defaults to using the bleach defaults. Refer to bleach documentation for their use:

    # tags which are allowed
    BLEACH_ALLOWED_TAGS = ["div", "section", "a", "i"]
    
    # remove all tags from input
    BLEACH_STRIP_TAGS = True
    
    # remove comments, or leave them in
    BLEACH_STRIP_COMMENTS = True

Usage

In Django Models

input-sanitizer provides two custom model fields SanitizedCharField and SanitizedTextField to automatically remove malicious content from input before saving data into database, but keep in mind that it won't work with bulk update, bulk create, etc as these operations are done at the database level. You can still manually sanitize input data to use for bulk update, bulk create, etc operations.

# in models.py
from django import models
from input_sanitizer import sanitized_models

class User(models.Model):
    username = sanitized_models.SanitizedCharField()
    info = sanitized_models.SanitizedTextField()

SanitizedCharField and SanitizedTextField may take following arguments to alter cleaning behaviour. Please, refer to bleach documentation for their use:

  • allowed_tags: Tags which are allowed
  • strip_comments: Remove comments from data
  • strip_tags: Remove all tags from data

SanitizedCharField is a extension of Django model's CharField and therefore, it will accept all normal CharField arguments.

SanitizedTextField is a extension of Django model's TextField and therefore, it will accept all normal TextField arguments.

In Django Forms

SanitizedCharField and SanitizedTextField fields can be used to clean XSS content from form fields while validating and saving the form data.

# in forms.py
from django import forms
from input_sanitizer import sanitized_forms

class User(forms.ModelForm):
    username = sanitized_forms.SanitizedCharField()
    info = sanitized_forms.SanitizedTextField()

SanitizedCharField and SanitizedTextField may take following arguments to alter cleaning behaviour. Please, refer to bleach documentation for their use:

  • allowed_tags: Tags which are allowed
  • strip_comments: Remove comments from data
  • strip_tags: Remove all tags from data

SanitizedCharField and SanitizedTextField fields will return validation errors if these fields are required. You can provide following arguments to customize error messages. f_name takes precedence over f_name while returning error message.

  • FIELD_ERROR: Error message
  • FIELD_NAME: Field name

SanitizedCharField is a extension of Django form's CharField. It will accept all normal CharField arguments.

SanitizedTextField is a extension of Django form's TextField. It will accept all normal TextField arguments.

In DRF Serializers

SanitizedCharField and SanitizedTextField fields can be used to clean XSS content from serializer fields while validating and saving the serializer data.

# in serializers.py
from rest_framework import serializers
from input_sanitizer import sanitized_serializers

class User(serializers.ModelSerializer):
    username = sanitized_serializers.SanitizedCharField()
    info = sanitized_serializers.SanitizedTextField()

SanitizedCharField and SanitizedTextField may take following arguments to alter cleaning behaviour. Please, refer to bleach documentation for their use:

  • allowed_tags: Tags which are allowed
  • strip_comments: Remove comments from data
  • strip_tags: Remove all tags from data

SanitizedCharField and SanitizedTextField fields will return validation errors if these fields are required. You can provide following arguments to customize error messages. f_name takes precedence over f_name while returning error message.

  • FIELD_ERROR: Error message
  • FIELD_NAME: Field name

SanitizedCharField is a extension of DRF serializer's CharField. It will accept all normal CharField arguments.

SanitizedTextField is a extension of DRF serializer's TextField. It will accept all normal TextField arguments.

In Views

To manually sanitize data, you can use sanitize_data function. It can be used to sanitize data to be used for bulk update, bulk create, etc.

from input_sanitizer import sanitizers
cleaned_data = sanitizers.sanitize_data(data, bleach_kwargs={})

bleach_kwargs arguments are optional and will default to using the bleach defaults. You may pass following arguments to alter cleaned output as per your requirement.

  • allowed_tags: Tags which are allowed
  • strip_comments: Remove comments from data
  • strip_tags: Remove all tags from data
Buff A simple BOF library I wrote under an hour to help me automate with BOF attack

What is Buff? A simple BOF library I wrote under an hour to help me automate with BOF attack. It comes with fuzzer and a generic method to generate ex

0x00 3 Nov 21, 2022
zip-brute Zip File Password Cracking with Using Password List

Zip brute is a python script that cracks zip that are password protected using a wordlist dictionary.

AnonyminHack5 13 Nov 03, 2022
WebLogic T3/IIOP RCE ExternalizableHelper.class of coherence.jar

CVE-2020-14756 WebLogic T3/IIOP RCE ExternalizableHelper.class of coherence.jar README project base on https://github.com/Y4er/CVE-2020-2555 and weblo

Y4er 77 Dec 06, 2022
Pgen is the best brute force password generator and it is improved from the cupp.py

pgen Pgen is the best brute force password generator and it is improved from the cupp.py The pgen tool is dedicated to Leonardo da Vinci -Time stays l

heyheykids 2 Jan 31, 2022
Password list generator for password spraying - prebaked with goodies

Generates permutations of Months, Seasons, Years, Sports Teams (NFL, NBA, MLB, NHL), Sports Scores, "Password", and even Iterable Keyspaces of a specified size.

Casey Erdmann 65 Dec 22, 2022
Website OSINT untuk mencari informasi dari email dan nomor telepon. Dibuat dengan React dan Flask.

Inspektur Cari informasi mengenai email dan nomor telepon dengan mudah. Inspektur adalah aplikasi OSINT yang berguna untuk mencari informasi berdasark

Bagas Wastu 36 Dec 04, 2022
Python implementation for PrintNightmare using standard Impacket.

PrintNightmare Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket. Installtion $ pip3 install impacket

ollypwn 141 Dec 31, 2022
Monty Hall Problem simulation written in Python.

Monty Hall Problem Simulation monty_hall_sim is a brute-force method of determining the optimal strategy for the Monty Hall Problem. Usage Set boolean

Xavier D 1 Aug 29, 2022
Deltaspy - an advanced keylogger that can send keylogs and screenshots to gmail

Deltaspy Deltaspy is a advanced keylogger which sends keylogs and screenshot to

Praanesh S 1 Dec 31, 2021
CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection

CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection Usage usage: cve-2021-26084_confluence_rce.py [-h] --url URL [--cmd CMD] [--shell] CVE-2021-2

r0cky 92 Jul 20, 2022
A quick script to spot the usage of Unicode Bidi (bidirectional) characters that could lead to an Invisible Backdoor

Invisible Backdoor Detector is a little Python script that allows you to spot and remove Bidi characters that could lead to an invisible backdoor. If you don't know what that is you should check the

SecSI 28 Dec 29, 2022
Python APK Reverser & Patcher Tool

DTL-X An Advanced Python APK Reverser and Patcher Tool. --rmads1: target=AndroidManifest.xml,replace=com.google.android.gms.ad --rmads2: No Internet (

DedSecTL 10 Oct 31, 2022
Log4j minecraft with python

log4jminecraft This code DOES NOT promote or encourage any illegal activities! The content in this document is provided solely for educational purpose

David Bombal 154 Dec 24, 2022
EyeJo是一款自动化资产风险评估平台,可以协助甲方安全人员或乙方安全人员对授权的资产中进行排查,快速发现存在的薄弱点和攻击面。

EyeJo EyeJo是一款自动化资产风险评估平台,可以协助甲方安全人员或乙方安全人员对授权的资产中进行排查,快速发现存在的薄弱点和攻击面。 免责声明 本平台集成了大量的互联网公开工具,主要是方便安全人员整理、排查资产、安全测试等,切勿用于非法用途。使用者存在危害网络安全等任何非法行为,后果自负,作

429 Dec 31, 2022
This tool allows to automatically test for Content Security Policy bypass payloads.

CSPass This tool allows to automatically test for Content Security Policy bypass payloads. Usage [cspass]$ ./cspass.py -h usage: cspass.py [-h] [--no-

Ruulian 30 Nov 22, 2022
Dark-Fb No Login 100% safe

Dark-Fb No Login 100% safe TERMUX • pkg install python2 && git -y • pip2 install requests mechanize tqdm • git clone https://github.com/BOT-033/Sensei

Bukan Hamkel 1 Dec 04, 2021
PasswordManager is a command-line program that helps you manage your secret files like passwords

PasswordManager is a command-line program that helps you manage your secret files like passwords. It's very minimalistic and easy to use.

Michael 3 Dec 30, 2021
To explore creating an application that detects available connections at once from wifi and bluetooth

Signalum A Linux Package to detect and analyze existing connections from wifi and bluetooth. Also checkout the Desktop Application. Signalum Installat

BISOHNS 56 Mar 03, 2021
🐝 ℹ️ Honeybee extension for export to IES-VE gem file format

honeybee-ies Honeybee extension for export a HBJSON file to IES-VE GEM file format Installation pip install honeybee-ies QuickStart import pathlib fro

Ladybug Tools 4 Jul 12, 2022
Springboot directory scanning

Springboot directory scanning

WINEZERO 87 Dec 28, 2022