Django: Sanitize incoming HTML fragments with nh3

A fairly common situation in a Django project is where you need to store and serve arbitrary HTML fragments. These often come from forms with rich text editors (using HTML’s contenteditable).

It’s insecure to trust user-generated HTML fragments since they can contain naughty content like:

<script src=https …