Tuesday, June 25, 2024
HomePythonChanging from bleach to nh3

Changing from bleach to nh3

Bleach is deprecated, here is methods to come near replicating bleach.clear() utilizing the nh3 model of .clear().

import nh3

def clean_string(string: str) -> str:
    return nh3.clear(
            "a": {"href", "title"},
            "abbr": {"title"},
            "acronym": {"title"},
        url_schemes={"http", "https", "mailto"},

The massive distinction is not like the safing of HTML executed by bleach, nh3 removes the offending tags altogether. Learn the feedback beneath to see what this implies.


>>> input_from_user = """<b>
<img src="">
I am not attempting to XSS you <a href="https://instance.com">Hyperlink</a>
>>> bleach.clear(input_from_user)
'<b>&lt;img src=""&gt;I am not attempting to XSS you <a href="https://instance.com">Hyperlink</a></b>'
>>> clean_string(input_from_user)
'<b>nnI'm not attempting to XSS you <a href="https://instance.com">Hyperlink</a>n</b>'

Benefits of switching to nh3 are:

  1. nh3 is actively maintained, bleach is formally deprecated.
  2. I consider the nh3 strategy of stripping tags relatively than permitting safing is safer. The concept of safing is nice, however I’ve all the time puzzled if a artistic attacker might discover a technique to exploit it. So I believe it’s higher to take away the offending tags altogether.
  3. The preservation of whitespace is actually helpful for preserving content material submitted in a textarea. That is very true for Markdown content material.
  4. nh3 is a binding to the rust-ammonia mission. They declare a 15x pace enhance over bleach’s binding to the html5lib mission. Even when that could be a 3x exaggeration, that is nonetheless a 5x pace enhance.


Please enter your comment!
Please enter your name here

Most Popular

Recent Comments