Security setup¶
As any other web application, Django Formidable might be targeted by pirates who would try to inject SQL or malicious code through Javascript or any other XSS method.
How to secure your django-formidable installation¶
Add the following settings: DJANGO_FORMIDABLE_SANITIZE_FUNCTION
. It should be a string that points at a function.
Important
We highly recommend to use bleach, with dedicated adjustments in order to make sure you’re sanitizing your content in a proper way.
See bleach documentation for creating your own parameters when calling the clean()
function.
Example¶
In your settings.py
, add the following:
DJANGO_FORMIDABLE_SANITIZE_FUNCTION = "path.to.module.clean_func"
And then in the path/to/module.py
module, add a function that would look like this:
import bleach
def clean_func(obj):
"""
Sanitize API text content
"""
return bleach.clean(obj, strip=True)
Warning
If you don’t add this settings or if its value is not importable (typo, missing PYTHONPATH, etc.):
- an error log will be raised,
- django-formidable won’t sanitize your contents for you.
Secured fields¶
- Form label & description,
- Field label, description (help text), defaults, placeholder.