xss-utils

raw JSON →
1.0.0 verified Fri May 01 auth: no python

xss-utils provides utility functions to sanitize and escape content in Django and Mako templates, helping prevent cross-site scripting (XSS) attacks. Current version 1.0.0 supports Python 3.12, Django up to 5.2, and has dropped Python 3.11. The library is maintained by the Open edX project with regular updates.

pip install xss-utils

Common errors

error ModuleNotFoundError: No module named 'xss_utils'
cause Library not installed or misspelled import (xss_utils vs xss-utils).
fix
Install with pip install xss-utils and import as xss_utils (underscore).
error ImportError: cannot import name 'sanitize_html' from 'xss_utils'
cause Trying to import sanitize_html directly from xss_utils root instead of from xss_utils.utils.
fix
Use: from xss_utils.utils import sanitize_html
error AttributeError: 'str' object has no attribute 'sanitize_html'
cause Calling sanitize_html as a method on a string instance instead of as a function.
fix
Use sanitize_html(my_string) not my_string.sanitize_html().

Warnings

breaking Version 1.0.0 dropped Python 3.11 support. Use Python 3.12+.
fix Upgrade to Python 3.12 or later.
gotcha The function strip_all_tags_unsafe does NOT sanitize HTML attributes or scripts; it only strips tags. For safe escaping, use sanitize_html instead.
fix Use sanitize_html for full escaping of HTML content.
deprecated Importing from xss_utils directly is deprecated in favor of importing from xss_utils.utils or xss_utils.filters.
fix Update imports: from xss_utils.utils import sanitize_html

Imports

Quickstart

Sanitize HTML by escaping all HTML tags, preventing XSS injection.

from xss_utils.utils import sanitize_html

# Example unsanitized HTML
unsafe_html = '<script>alert("xss")</script><p>Safe text</p>'
safe_html = sanitize_html(unsafe_html)
print(safe_html)  # Output: &lt;script&gt;alert("xss")&lt;/script&gt;&lt;p&gt;Safe text&lt;/p&gt;
last verified Fri May 01
next check Thu Jul 30