[1.7.x] Added a warning that remove_tags() output shouldn't be considered safe.

Backport of 7efce77de2 from master
This commit is contained in:
Tim Graham 2014-08-07 09:20:59 -04:00
parent 927d7b8b71
commit 9a51270dba
2 changed files with 28 additions and 8 deletions

View File

@ -1939,15 +1939,27 @@ Removes a space-separated list of [X]HTML tags from the output.
For example:: For example::
{{ value|removetags:"b span"|safe }} {{ value|removetags:"b span" }}
If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"`` the If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"`` the
output will be ``"Joel <button>is</button> a slug"``. unescaped output will be ``"Joel <button>is</button> a slug"``.
Note that this filter is case-sensitive. Note that this filter is case-sensitive.
If ``value`` is ``"<B>Joel</B> <button>is</button> a <span>slug</span>"`` the If ``value`` is ``"<B>Joel</B> <button>is</button> a <span>slug</span>"`` the
output will be ``"<B>Joel</B> <button>is</button> a slug"``. unescaped output will be ``"<B>Joel</B> <button>is</button> a slug"``.
.. admonition:: No safety guarantee
Note that ``removetags`` doesn't give any guarantee about its output being
HTML safe. In particular, it doesn't work recursively, so an input like
``"<sc<script>ript>alert('XSS')</sc</script>ript>"`` won't be safe even if
you apply ``|removetags:"script"``. So if the input is user provided,
**NEVER** apply the ``safe`` filter to a ``removetags`` output. If you are
looking for something more robust, you can use the ``bleach`` Python
library, notably its `clean`_ method.
.. _clean: http://bleach.readthedocs.org/en/latest/clean.html
.. templatefilter:: rjust .. templatefilter:: rjust
@ -2064,10 +2076,10 @@ output will be ``"Joel is a slug"``.
.. admonition:: No safety guarantee .. admonition:: No safety guarantee
Note that ``striptags`` doesn't give any guarantee about its output being Note that ``striptags`` doesn't give any guarantee about its output being
entirely HTML safe, particularly with non valid HTML input. So **NEVER** HTML safe, particularly with non valid HTML input. So **NEVER** apply the
apply the ``safe`` filter to a ``striptags`` output. ``safe`` filter to a ``striptags`` output. If you are looking for something
If you are looking for something more robust, you can use the ``bleach`` more robust, you can use the ``bleach`` Python library, notably its
Python library, notably its `clean`_ method. `clean`_ method.
.. _clean: http://bleach.readthedocs.org/en/latest/clean.html .. _clean: http://bleach.readthedocs.org/en/latest/clean.html

View File

@ -597,7 +597,8 @@ escaping HTML.
Tries to remove anything that looks like an HTML tag from the string, that Tries to remove anything that looks like an HTML tag from the string, that
is anything contained within ``<>``. is anything contained within ``<>``.
Absolutely NO guaranty is provided about the resulting string being entirely
Absolutely NO guarantee is provided about the resulting string being
HTML safe. So NEVER mark safe the result of a ``strip_tag`` call without HTML safe. So NEVER mark safe the result of a ``strip_tag`` call without
escaping it first, for example with :func:`~django.utils.html.escape`. escaping it first, for example with :func:`~django.utils.html.escape`.
@ -621,6 +622,13 @@ escaping HTML.
Removes a space-separated list of [X]HTML tag names from the output. Removes a space-separated list of [X]HTML tag names from the output.
Absolutely NO guarantee is provided about the resulting string being HTML
safe. In particular, it doesn't work recursively, so the output of
``remove_tags("<sc<script>ript>alert('XSS')</sc</script>ript>", "script")``
won't remove the "nested" script tags. So if the ``value`` is untrusted,
NEVER mark safe the result of a ``remove_tags()`` call without escaping it
first, for example with :func:`~django.utils.html.escape`.
For example:: For example::
remove_tags(value, "b span") remove_tags(value, "b span")