sanitization

How can I sanitize a string for use as a filename?

by

You can use PathGetCharType function, PathCleanupSpec function or the following trick: function IsValidFilePath(const FileName: String): Boolean; var S: String; I: Integer; begin Result := False; S := FileName; repeat I := LastDelimiter(‘\/’, S); MoveFile(nil, PChar(S)); if (GetLastError = ERROR_ALREADY_EXISTS) or ( (GetFileAttributes(PChar(Copy(S, I + 1, MaxInt))) = INVALID_FILE_ATTRIBUTES) and (GetLastError=ERROR_INVALID_NAME) ) then Exit; if I>0 … Read more

What can I use to sanitize received HTML while retaining basic formatting?

by

This is an older, but still relevant question. We are using the HtmlSanitizer .Net library, which: is open-source is actively maintained doesn’t have the problems like Microsoft Anti-XSS library, Is unit tested with the OWASP XSS Filter Evasion Cheat Sheet is special built for this (in contrast to HTML Agility Pack, which is a parser) … Read more

Detecting a (naughty or nice) URL or link in a text string

by

I’m concentrating my answer on trying to avoid spammers. This leads to two sub-assumptions: the people using the system will therefore be actively trying to contravene your check and your goal is only to detect the presence of a URL, not to extract the complete URL. This solution would look different if your goal is … Read more

Sanitizing HTML in submitted form data

by

strip_tags actually removes the tags from the input, which may not be what you want. To convert a string to a “safe string” with angle brackets, ampersands and quotes converted to the corresponding HTML entities, you can use the escape filter: from django.utils.html import escape message = escape(form.cleaned_data[‘message’])