A "safe" python HTML text formatting (ala textile)

Question

I've been looking around for an existing python library in the style of textile to format text for users to enter.

If it was just me entering it, just textile would have been fine, but since the input is meant for a django app that will take user input and display it, while still maintaining some formatting.

I managed to find little loopholes here in there in the existing libraries I saw. They sometimes wouldn't escape things the way they should have, would let me input straight HTML and the list goes on.

So what are some recommendations of conversion engines I can use?

Answer 1

If you're using Django, you could try safe markdown:

{% load markup %}

{{ foo|markdown:"safe" }}

You'll need to have markdown installed, and django.contrib.markup in your settings.py apps.

If you want to sanitize HTML on save, I've had good luck using feedparser's sanitize (http://www.feedparser.org/).

import feedparser

body = feedparser._sanitizeHTML(body, 'utf8')

Answer 2

Did you try the included django.contrib.markup libraries?

Answer 3

If you are looking for a textile solution: the PyTextile that django markup uses actually has a textile_restricted() function, which for some reason, never made it into django.contrib.markup. You can use this function to provide restricted textile. Either by adding a method to your model that calls textile_restricted, or use a custom template tag textile_restricted, defined by the following code:

from django import template
from django.conf import settings
from django.utils.encoding import smart_str, force_unicode
from django.utils.safestring import mark_safe

register = template.Library()

def textile_restricted(value):
    try:
        import textile
    except ImportError:
        if settings.DEBUG:
            raise template.TemplateSyntaxError("Error in {% textile %} filter: The Python textile library isn't installed.")
        return force_unicode(value)
    else:
        return mark_safe(force_unicode(textile.textile_restricted(smart_str(value))))
textile_restricted.is_safe = True

register.filter(textile_restricted)