[1.7.x] Added a warning that remove_tags() output shouldn't be considered safe.
Backport of 7efce77de2
from master
This commit is contained in:
parent
927d7b8b71
commit
9a51270dba
|
@ -1939,15 +1939,27 @@ Removes a space-separated list of [X]HTML tags from the output.
|
|||
|
||||
For example::
|
||||
|
||||
{{ value|removetags:"b span"|safe }}
|
||||
{{ value|removetags:"b span" }}
|
||||
|
||||
If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"`` the
|
||||
output will be ``"Joel <button>is</button> a slug"``.
|
||||
unescaped output will be ``"Joel <button>is</button> a slug"``.
|
||||
|
||||
Note that this filter is case-sensitive.
|
||||
|
||||
If ``value`` is ``"<B>Joel</B> <button>is</button> a <span>slug</span>"`` the
|
||||
output will be ``"<B>Joel</B> <button>is</button> a slug"``.
|
||||
unescaped output will be ``"<B>Joel</B> <button>is</button> a slug"``.
|
||||
|
||||
.. admonition:: No safety guarantee
|
||||
|
||||
Note that ``removetags`` doesn't give any guarantee about its output being
|
||||
HTML safe. In particular, it doesn't work recursively, so an input like
|
||||
``"<sc<script>ript>alert('XSS')</sc</script>ript>"`` won't be safe even if
|
||||
you apply ``|removetags:"script"``. So if the input is user provided,
|
||||
**NEVER** apply the ``safe`` filter to a ``removetags`` output. If you are
|
||||
looking for something more robust, you can use the ``bleach`` Python
|
||||
library, notably its `clean`_ method.
|
||||
|
||||
.. _clean: http://bleach.readthedocs.org/en/latest/clean.html
|
||||
|
||||
.. templatefilter:: rjust
|
||||
|
||||
|
@ -2064,10 +2076,10 @@ output will be ``"Joel is a slug"``.
|
|||
.. admonition:: No safety guarantee
|
||||
|
||||
Note that ``striptags`` doesn't give any guarantee about its output being
|
||||
entirely HTML safe, particularly with non valid HTML input. So **NEVER**
|
||||
apply the ``safe`` filter to a ``striptags`` output.
|
||||
If you are looking for something more robust, you can use the ``bleach``
|
||||
Python library, notably its `clean`_ method.
|
||||
HTML safe, particularly with non valid HTML input. So **NEVER** apply the
|
||||
``safe`` filter to a ``striptags`` output. If you are looking for something
|
||||
more robust, you can use the ``bleach`` Python library, notably its
|
||||
`clean`_ method.
|
||||
|
||||
.. _clean: http://bleach.readthedocs.org/en/latest/clean.html
|
||||
|
||||
|
|
|
@ -597,7 +597,8 @@ escaping HTML.
|
|||
|
||||
Tries to remove anything that looks like an HTML tag from the string, that
|
||||
is anything contained within ``<>``.
|
||||
Absolutely NO guaranty is provided about the resulting string being entirely
|
||||
|
||||
Absolutely NO guarantee is provided about the resulting string being
|
||||
HTML safe. So NEVER mark safe the result of a ``strip_tag`` call without
|
||||
escaping it first, for example with :func:`~django.utils.html.escape`.
|
||||
|
||||
|
@ -621,6 +622,13 @@ escaping HTML.
|
|||
|
||||
Removes a space-separated list of [X]HTML tag names from the output.
|
||||
|
||||
Absolutely NO guarantee is provided about the resulting string being HTML
|
||||
safe. In particular, it doesn't work recursively, so the output of
|
||||
``remove_tags("<sc<script>ript>alert('XSS')</sc</script>ript>", "script")``
|
||||
won't remove the "nested" script tags. So if the ``value`` is untrusted,
|
||||
NEVER mark safe the result of a ``remove_tags()`` call without escaping it
|
||||
first, for example with :func:`~django.utils.html.escape`.
|
||||
|
||||
For example::
|
||||
|
||||
remove_tags(value, "b span")
|
||||
|
|
Loading…
Reference in New Issue