DEV Community

Kanthaliya
Kanthaliya

Posted on

Validating and Sanitizing user inputs on python projects REST api

Validation

User input data validation is one of the most important things while developing a project. It not only keeps the data clean but also helps with somewhat malicious data being sent with requests using intercept tools like burp suite.

One of python package which helps in validating Api request is Schema

from schema import Schema, And, Use, Optional

schema = Schema([{'name': And(str, len),
                  'age':  And(Use(int), lambda n: 18 <= n <= 99),
                   Optional('gender'): And(str, Use(str.lower),
                                           lambda s: s in ('Male', 'Female'))}])

data = [{'name': 'Pritesh', 'age': '29', 'gender': 'Male'},
        {'name': 'Alisha', 'age': '26', 'gender': 'Female'},
        {'name': 'Atul', 'age': '28'}]

validated = schema.validate(data)
Enter fullscreen mode Exit fullscreen mode

If validation fails It raises SchemaError else it would return filtered payload based on schema validation.

There are many features of Schema we can use, few of them are -

  • Optional keys can also carry a default, to be used when no key in the data matches: eg:
Schema({Optional('best_songs', default='blues'): str, 'best_movie': str}).validate({'best_movie': 'shawshank redemption'})
Enter fullscreen mode Exit fullscreen mode
  • In a dictionary, you can combine two keys in a “one or the other” manner. To do so, use the Or class as a key
Schema({  Or("key1", "key2", only_one=True): str })
Enter fullscreen mode Exit fullscreen mode
  • The Schema(...) parameter ignore_extra_keys causes validation to ignore extra keys in a dictionary, and also to not return them after validating.
Schema({'movie': str}, ignore_extra_keys=True)
print(schema.validate({'movie': 'tenet', 'review': '4'}))
{'movie': 'tenet'}
Enter fullscreen mode Exit fullscreen mode
  • You can pass a keyword argument error to any of validatable classes (such as Schema, And, Or, Regex, Use) to report the error instead of a built-in one.
Schema(Use(int, error='Invalid year')).validate('2020')
Enter fullscreen mode Exit fullscreen mode

Sanitization

Once user inputs are validated, data needs to be sanitized with an HTML sanitizing library that escapes or strips markup and attributes. Bleach
Adding sanitization helps in eliminating XSS attacks on application.

import bleach
bleach.clean('an <script>evil()</script> example')
u'an &lt;script&gt;evil()&lt;/script&gt; example'

Enter fullscreen mode Exit fullscreen mode

Top comments (2)

Collapse
 
monacodelisa profile image
Esther White

Very nice article, thank you 👍

Collapse
 
biswajitk profile image
biswajit-k

Concise and informative Article. Thanks a lot!