3

I have a model with description field, this field can be html code, for security reasons I want to create a custom field to clear this code before saving to db.

I trying to use the lib bleach https://github.com/mozilla/bleach, but i don't know if I'm doing it right

this my customField

class HtmlField(models.TextField):
    description = 'Clean HTML field'

    def __init__(self, *args, **kwargs):
        bleach.clean(self.description)
        super().__init__(*args, **kwargs)

EDIT:

I can save the data the way I want, but I reebo this error not migrate: TypeError: argument cannot be of 'NoneType' type, must be of text type

EDIT2: I solved the previous problem by placing a check if the text is empty: 

if not value:
             return ''

https://github.com/mozilla/bleach/issues/334

GustavoNogueira
  • 389
  • 1
  • 3
  • 16

1 Answers1

1

You can override the to_python function, like:

class HtmlField(models.TextField):
    description = 'Clean HTML field'

    def to_python(self, value):
        value = super().to_python(value)
        if value is None:
            return None
        return bleach.clean(value)

That being said, I'm not convinced that storing HTML code in the database is a security risk. The database does not render the html, it does not run the JavaScript parts, etc. See the question "Database for Content - OK to store HTML?" for more information.

Willem Van Onsem
  • 443,496
  • 30
  • 428
  • 555