DEV Community


Posted on

Validating and Sanitizing user inputs on python projects REST api


User input data validation is one of the most important things while developing a project. It not only keeps the data clean but also helps with somewhat malicious data being sent with requests using intercept tools like burp suite.

One of python package which helps in validating Api request is Schema

from schema import Schema, And, Use, Optional

schema = Schema([{'name': And(str, len),
                  'age':  And(Use(int), lambda n: 18 <= n <= 99),
                   Optional('gender'): And(str, Use(str.lower),
                                           lambda s: s in ('Male', 'Female'))}])

data = [{'name': 'Pritesh', 'age': '29', 'gender': 'Male'},
        {'name': 'Alisha', 'age': '26', 'gender': 'Female'},
        {'name': 'Atul', 'age': '28'}]

validated = schema.validate(data)
Enter fullscreen mode Exit fullscreen mode

If validation fails It raises SchemaError else it would return filtered payload based on schema validation.

There are many features of Schema we can use, few of them are -

  • Optional keys can also carry a default, to be used when no key in the data matches: eg:
Schema({Optional('best_songs', default='blues'): str, 'best_movie': str}).validate({'best_movie': 'shawshank redemption'})
Enter fullscreen mode Exit fullscreen mode
  • In a dictionary, you can combine two keys in a “one or the other” manner. To do so, use the Or class as a key
Schema({  Or("key1", "key2", only_one=True): str })
Enter fullscreen mode Exit fullscreen mode
  • The Schema(...) parameter ignore_extra_keys causes validation to ignore extra keys in a dictionary, and also to not return them after validating.
Schema({'movie': str}, ignore_extra_keys=True)
print(schema.validate({'movie': 'tenet', 'review': '4'}))
{'movie': 'tenet'}
Enter fullscreen mode Exit fullscreen mode
  • You can pass a keyword argument error to any of validatable classes (such as Schema, And, Or, Regex, Use) to report the error instead of a built-in one.
Schema(Use(int, error='Invalid year')).validate('2020')
Enter fullscreen mode Exit fullscreen mode


Once user inputs are validated, data needs to be sanitized with an HTML sanitizing library that escapes or strips markup and attributes. Bleach
Adding sanitization helps in eliminating XSS attacks on application.

import bleach
bleach.clean('an <script>evil()</script> example')
u'an &lt;script&gt;evil()&lt;/script&gt; example'

Enter fullscreen mode Exit fullscreen mode

Top comments (2)

monacodelisa profile image
{{ MonaCodeLisa }}

Very nice article, thank you 👍

biswajitk profile image

Concise and informative Article. Thanks a lot!