
Sanitizes known possible XSS attacks through DraftJS JSON data format.

Primary LanguagePythonMIT LicenseMIT

DraftJS Sanitizer

Sanitizes a DraftJS JSON format from a dict to allow saving. Allows safe dumping into a string in order to prevent injection of quotes and HTML entities.

Build Status Coverage Status Version

Supported versions Supported implementations


pip install draftjs-sanitizer


Remove known exploits

This removes any URLs that could be used for XSS attacks by linking raw javascript code.

from draftjs_sanitizer import clean_draft_js

    "blocks": [
            "key": "an6ci",
            "data": {},
            "text": "Get Saleor today!",
            "type": "unstyled",
            "depth": 0,
            "entityRanges": [
                    "key": 0,
                    "length": 17,
                    "offset": 0
            "inlineStyleRanges": []
    "entityMap": {
        "0": {
            "data": {
                "url": "javascript:alert('Oopsie!');"
            "type": "LINK",
            "mutability": "MUTABLE"

Dump JSON for HTML Usage

This allows to run it as a filter in order to prevent any injection or bypass when putting the JSON into HTML code.

from draftjs_sanitizer import to_string

dumped_json = to_string({"block": "</div><script>alert('Oopsie!');</script>"})

Example 1: attribute bypass

<div data-draft-js-json='{"block": "'<script>alert('Oopsie!');</script>"}'></div>

Example 2: bypass inner HTML

    {"block": "</div><script>alert('Oopsie!');</script>"}

Supported Checks

Type Entities Description
Javascript URL IMAGE, LINK Prevent injecting javascript through the javascript protocol into a URL.
Invalid URL IMAGE, LINK Removes any invalid URL from the JSON content.
Dangerous Characters any Removes any sensible character for HTML incorporation: ", ', <, >.


./setup.py develop
pip install -r requirements_dev.txt

You can easily extend the behaviors through:

  • draftjs_sanitizer.encoder.DraftJSSafeEncoder
  • draftjs_sanitizer.sanitizer.DraftJSSanitizer


  • urllib3 for RFC 3986 parsing and validation of URLs.