[1.5.x] Added a warning that remove_tags() output shouldn't be considered safe.

Backport of 7efce77de2 from master

2 files changed, 28 insertions, 8 deletions

diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
index 02177eb12b..9f15a8a787 100644
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -1831,15 +1831,27 @@ Removes a space-separated list of [X]HTML tags from the output.
 
 For example::
 
-    {{ value|removetags:"b span"|safe }}
+    {{ value|removetags:"b span" }}
 
 If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"`` the
-output will be ``"Joel <button>is</button> a slug"``.
+unescaped output will be ``"Joel <button>is</button> a slug"``.
 
 Note that this filter is case-sensitive.
 
 If ``value`` is ``"<B>Joel</B> <button>is</button> a <span>slug</span>"`` the
-output will be ``"<B>Joel</B> <button>is</button> a slug"``.
+unescaped output will be ``"<B>Joel</B> <button>is</button> a slug"``.
+
+.. admonition:: No safety guarantee
+
+    Note that ``removetags`` doesn't give any guarantee about its output being
+    HTML safe. In particular, it doesn't work recursively, so an input like
+    ``"<sc<script>ript>alert('XSS')</sc</script>ript>"`` won't be safe even if
+    you apply ``|removetags:"script"``. So if the input is user provided,
+    **NEVER** apply the ``safe`` filter to a ``removetags`` output. If you are
+    looking for something more robust, you can use the ``bleach`` Python
+    library, notably its `clean`_ method.
+
+.. _clean: http://bleach.readthedocs.org/en/latest/clean.html
 
 .. templatefilter:: rjust
 
@@ -1956,10 +1968,10 @@ output will be ``"Joel is a slug"``.
 .. admonition:: No safety guarantee
 
     Note that ``striptags`` doesn't give any guarantee about its output being
-    entirely HTML safe, particularly with non valid HTML input. So **NEVER**
-    apply the ``safe`` filter to a ``striptags`` output.
-    If you are looking for something more robust, you can use the ``bleach``
-    Python library, notably its `clean`_ method.
+    HTML safe, particularly with non valid HTML input. So **NEVER** apply the
+    ``safe`` filter to a ``striptags`` output. If you are looking for something
+    more robust, you can use the ``bleach`` Python library, notably its
+    `clean`_ method.
 
 .. _clean: http://bleach.readthedocs.org/en/latest/clean.html
 
diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt
index d489545906..4f338be06b 100644
--- a/docs/ref/utils.txt
+++ b/docs/ref/utils.txt
@@ -618,7 +618,8 @@ escaping HTML.
 
     Tries to remove anything that looks like an HTML tag from the string, that
     is anything contained within ``<>``.
-    Absolutely NO guaranty is provided about the resulting string being entirely
+
+    Absolutely NO guarantee is provided about the resulting string being
     HTML safe. So NEVER mark safe the result of a ``strip_tag`` call without
     escaping it first, for example with :func:`~django.utils.html.escape`.
 
@@ -638,6 +639,13 @@ escaping HTML.
 
     Removes a space-separated list of [X]HTML tag names from the output.
 
+    Absolutely NO guarantee is provided about the resulting string being HTML
+    safe. In particular, it doesn't work recursively, so the output of
+    ``remove_tags("<sc<script>ript>alert('XSS')</sc</script>ript>", "script")``
+    won't remove the "nested" script tags. So if the ``value`` is untrusted,
+    NEVER mark safe the result of a ``remove_tags()`` call without escaping it
+    first, for example with :func:`~django.utils.html.escape`.
+
     For example::
 
         remove_tags(value, "b span")