You want to safely render user comments in Django templates that may include limited HTML tags like <b> and <i> but prevent any embedded scripts. What is the best approach?
hard📝 Application Q8 of 15
Django - Security Best Practices
You want to safely render user comments in Django templates that may include limited HTML tags like <b> and <i> but prevent any embedded scripts. What is the best approach?
ARender user input as plain text without any HTML tags.
BApply the 'safe' filter directly to user input without sanitization.
CDisable autoescaping globally in Django settings.
DUse a whitelist HTML sanitizer on the input before marking it safe in the template.
Step-by-Step Solution
Solution:
Step 1: Identify the need for safe HTML rendering
Allowing some HTML tags requires sanitizing input to remove unsafe tags and attributes.
Step 2: Use a whitelist sanitizer
Sanitizers like Bleach can whitelist safe tags (e.g., <b>, <i>) and strip scripts.
Step 3: Mark sanitized input as safe
After sanitization, marking the input safe in the template allows rendering of allowed HTML safely.
Final Answer:
Use a whitelist HTML sanitizer on the input before marking it safe in the template. -> Option D
Quick Check:
Sanitize input first, then mark safe to allow limited HTML [OK]
Quick Trick:Sanitize input before marking safe to allow limited HTML [OK]
Common Mistakes:
MISTAKES
Using 'safe' filter without sanitization
Disabling autoescaping globally
Rendering raw input without filtering
Master "Security Best Practices" in Django
9 interactive learning modes - each teaches the same concept differently
