Sanitizers¶
Kotti provides a mechanism to sanitize arbitrary strings.
You can configure available sanitizers via kotti.sanitizers
.
This setting takes a list of strings, with each specifying a name:callable
pair.
name
is the name under which this sanitizer is registered.
callable
is a dotted path to a function taking an unsanitized string and returning a sanitized version of it.
The default configuration is:
kotti.sanitizers =
xss_protection:kotti.sanitizers.xss_protection
minimal_html:kotti.sanitizers.minimal_html
no_html:kotti.sanitizers.no_html
For thorough explaination of the included sanitizers see kotti.sanitizers
.
Explicit sanitization¶
You can explicitly use any configured sanitizer like this:
from kotti.sanitizers import sanitize
sanitzed = sanitize(unsanitized, 'xss_protection')
The sanitize function is also available as a method of the kotti.views.util.TemplateAPI
.
This is just a convenience wrapper to ease usage in templates:
${api.sanitize(context.foo, 'minimal_html')}
Sanitize on write (implicit sanitization)¶
The second setting related to sanitization is kotti.sanitize_on_write
.
It defines, for the specified resource classes, the attributes that are sanitized and the sanitizers that will be used when the attributes are mutated and flushed.
This setting takes a list of dotted_path:sanitizer_name(s)
pairs.
dotted_path
is a dotted path to a resource class attribute that will be sanitized implicitly with the respective sanitizer(s) upon write access.
sanitizer_name(s)
is a comma separated list of available sanitizer names as configured above.
Kotti will setup listeners for the kotti.events.ObjectInsert
and kotti.events.ObjectUpdate
events for the given classes and attach a function that filters the respective attributes with the specified sanitizer.
This means that any write access to configured attributes through your application (also within correctly setup command line scripts) will be sanitized implicitly.
The default configuration is:
kotti.sanitize_on_write =
kotti.resources.Document.body:xss_protection
kotti.resources.Content.title:no_html
You can also use multiple sanitizers:
kotti.sanitize_on_write =
kotti.resources.Document.body:xss_protection,some_other_sanitizer
Implementing a custom sanitizer¶
A sanitizer is just a function that takes and returns a string. It can be as simple as:
def no_dogs_allowed(html):
return html.replace('dogs', 'cats')
no_dogs_allowed('<p>I love dogs.</p>')
... '<p>I love cats.</p>'
You can also look at kotti.sanitizers
for examples.