发表新帖
发表新帖

Strip HTML from strings in Python

前端 未结
关注
26 2806
难免孤独
难免孤独 2020-11-22 02:50 
from mechanize import Browser
br = Browser()
br.open(\'http://somewebpage\')
html = br.response().readlines()
for line in html:
  print line

When p

26条回答
  • 猫巷女王i
    猫巷女王i (楼主)
    2020-11-22 03:05

    Short version!

    import re, cgi
tag_re = re.compile(r'(|<[^>]*>)')

# Remove well-formed tags, fixing mistakes by legitimate users
no_tags = tag_re.sub('', user_input)

# Clean up anything else by escaping
ready_for_web = cgi.escape(no_tags)

    Regex source: MarkupSafe. Their version handles HTML entities too, while this quick one doesn't.

    Why can't I just strip the tags and leave it?

    It's one thing to keep people from italicizing things, without leaving is floating around. But it's another to take arbitrary input and make it completely harmless. Most of the techniques on this page will leave things like unclosed comments ( src=x onerror=alert(1);//>

    The first time HTMLParser sees it, it can't tell that the is a tag. It looks broken, so HTMLParser doesn't get rid of it. It only takes out the , leaving you with

    This problem was disclosed to the Django project in March, 2014. Their old strip_tags was essentially the same as the top answer to this question. Their new version basically runs it in a loop until running it again doesn't change the string:

    # _strip_once runs HTMLParser once, pulling out just the text of all the nodes.

def strip_tags(value):
    """Returns the given HTML with all tags stripped."""
    # Note: in typical case this loop executes _strip_once once. Loop condition
    # is redundant, but helps to reduce number of executions of _strip_once.
    while '<' in value and '>' in value:
        new_value = _strip_once(value)
        if len(new_value) >= len(value):
            # _strip_once was not able to detect more tags
            break
        value = new_value
    return value

    Of course, none of this is an issue if you always escape the result of strip_tags().

    Update 19 March, 2015: There was a bug in Django versions before 1.4.20, 1.6.11, 1.7.7, and 1.8c1. These versions could enter an infinite loop in the strip_tags() function. The fixed version is reproduced above. More details here.

    Good things to copy or use

    My example code doesn't handle HTML entities - the Django and MarkupSafe packaged versions do.

    My example code is pulled from the excellent MarkupSafe library for cross-site scripting prevention. It's convenient and fast (with C speedups to its native Python version). It's included in Google App Engine, and used by Jinja2 (2.7 and up), Mako, Pylons, and more. It works easily with Django templates from Django 1.7.

    Django's strip_tags and other html utilities from a recent version are good, but I find them less convenient than MarkupSafe. They're pretty self-contained, you could copy what you need from this file.

    If you need to strip almost all tags, the Bleach library is good. You can have it enforce rules like "my users can italicize things, but they can't make iframes."

    Understand the properties of your tag stripper! Run fuzz tests on it! Here is the code I used to do the research for this answer.

    sheepish note - The question itself is about printing to the console, but this is the top Google result for "python strip html from string", so that's why this answer is 99% about the web.

    0 讨论(0)
 看不清?
提交回复
热议问题