From html-sanitizer to nh3

matthiask · Apr 9, 2024 · 12d9e02 · 12d9e02
1 parent 180a604
commit 12d9e02
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 42 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -6,6 +6,11 @@ Next version
 
 - Made the editor usable in dark mode.
 - Changed the cancel buttons in dialogs to not validate the form.
+- Switched the ``SanitizedProseEditorField`` from html-sanitizer (which at the
+  moment uses the problematic lxml HTML cleaner under the hood) with `nh3
+  <https://nh3.readthedocs.io/en/latest/>`__. html-sanitizer is still a good
+  choice but since we build on ProseMirror we only require a sanitizer, we
+  don't have to clean up strange HTML.
 
 
 0.2 (2024-03-12)

diff --git a/README.rst b/README.rst
@@ -56,17 +56,8 @@ particular scheme. Of course users can submit what they want, they are not
 constrainted by the HTML widgets you're using. You should still always sanitize
 the HTML submitted on the server side. A good way to do this is by using the
 ``sanitize`` argument to the ``ProseEditorField``. You can use the following
-snippet to always pass HTML through `html-sanitizer
-<https://github.com/matthiask/html-sanitizer>`__:
-
-.. code-block:: python
-
-    from html_sanitizer.django import get_sanitizer
-
-    description = ProseEditorField(sanitize=get_sanitizer().sanitize)
-
-You can also use the following, which uses a sanitizer instance which allows
-all elements which are allowed by the ProseMirror configuration:
+snippet to always pass HTML through `nh3
+<https://nh3.readthedocs.io/en/latest/>`__:
 
 .. code-block:: python
 

diff --git a/django_prose_editor/sanitized.py b/django_prose_editor/sanitized.py
@@ -1,36 +1,10 @@
-from functools import cached_property
-
-from html_sanitizer import Sanitizer
-
 from django_prose_editor.fields import ProseEditorField
 
 
-SETTINGS = {
-    "tags": {
-        "a",
-        "h1",
-        "h2",
-        "h3",
-        "strong",
-        "em",
-        "p",
-        "ul",
-        "ol",
-        "li",
-        "br",
-        "sub",
-        "sup",
-        "hr",
-        "blockquote",
-    },
-}
-
-
 class SanitizedProseEditorField(ProseEditorField):
     def __init__(self, *args, **kwargs):
-        kwargs.setdefault("sanitize", self.sanitizer.sanitize)
-        super().__init__(*args, **kwargs)
+        if "sanitize" not in kwargs:
+            from nh3 import clean
 
-    @cached_property
-    def sanitizer(self):
-        return Sanitizer(SETTINGS)
+            kwargs["sanitize"] = clean
+        super().__init__(*args, **kwargs)
diff --git a/pyproject.toml b/pyproject.toml
@@ -34,7 +34,7 @@ dependencies = [
 [project.optional-dependencies]
 tests = [
     "coverage",
-    "html-sanitizer",
+    "nh3",
 ]
 
 [project.urls]