Is there a good, actively maintained python library available for filtering malicious input such as XSS?

If you are using a web framework and a template engine like Jinja2 there is a chance that the template engine or the framework has something built in just for that.

There is something in the cgi module that can help you:

cgi.escape('malicious code here'), see: http://docs.python.org/library/cgi.html#cgi.escape

Also Jinja2 provides escaping:

from jinja2 import utils
str(utils.escape('malicious code here'))

You can easily code XSS-defense in Python, see for example http://code.activestate.com/recipes/496942/ for an instructive and usable piece of code.

The Strip-o-Gram library looks quite nice. I haven't checked it out properly, but it looks like it does things well (i.e. can whitelist HTML tags you specify, as well as HTML-escaping anything nasty).

Here's the example usage snippet, quoted from that page:

  from stripogram import html2text, html2safehtml
  mylumpofdodgyhtml # a lump of dodgy html ;-)
  # Only allow <b>, <a>, <i>, <br>, and <p> tags
  mylumpofcoolcleancollectedhtml = html2safehtml(mylumpofdodgyhtml,valid_tags=("b", "a", "i", "br", "p"))
  # Don't process <img> tags, just strip them out. Use an indent of 4 spaces 
  # and a page that's 80 characters wide.
  mylumpoftext = html2text(mylumpofcoolcleancollectedhtml,ignore_tags=("img",),indent_width=4,page_width=80)

Hope that helps.