I have a model with description field, this field can be html code, for security reasons I want to create a custom field to clear this code before saving to db.
I trying to use the lib bleach https://github.com/mozilla/bleach, but i don't know if I'm doing it right
this my customField
class HtmlField(models.TextField):
description = 'Clean HTML field'
def __init__(self, *args, **kwargs):
bleach.clean(self.description)
super().__init__(*args, **kwargs)
EDIT:
I can save the data the way I want, but I reebo this error not migrate: TypeError: argument cannot be of 'NoneType' type, must be of text type
EDIT2: I solved the previous problem by placing a check if the text is empty:
if not value:
return ''
You can override the to_python function, like:
class HtmlField(models.TextField):
description = 'Clean HTML field'
def to_python(self, value):
value = super().to_python(value)
if value is None:
return None
return bleach.clean(value)That being said, I'm not convinced that storing HTML code in the database is a security risk. The database does not render the html, it does not run the JavaScript parts, etc. See the question "Database for Content - OK to store HTML?" for more information.