summaryrefslogtreecommitdiff
path: root/docs/ref/templates
diff options
context:
space:
mode:
authorClaude Paroz <claude@2xlibre.net>2014-03-20 16:50:50 +0100
committerClaude Paroz <claude@2xlibre.net>2014-03-22 10:59:18 +0100
commit6ca6c36f82b97eafeada61384b2e2f1d0587da86 (patch)
treef0fd507b152148ac683d539c6d23ca9821ac1124 /docs/ref/templates
parentaaa21102592e96c543d60513755d6c81f639f122 (diff)
Improved strip_tags and clarified documentation
The fact that strip_tags cannot guarantee to really strip all non-safe HTML content was not clear enough. Also see: https://www.djangoproject.com/weblog/2014/mar/22/strip-tags-advisory/
Diffstat (limited to 'docs/ref/templates')
-rw-r--r--docs/ref/templates/builtins.txt12
1 files changed, 11 insertions, 1 deletions
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
index a73ba87d75..34dd42252a 100644
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -1985,7 +1985,7 @@ If ``value`` is ``10``, the output will be ``1.000000E+01``.
striptags
^^^^^^^^^
-Strips all [X]HTML tags.
+Makes all possible efforts to strip all [X]HTML tags.
For example::
@@ -1994,6 +1994,16 @@ For example::
If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"``, the
output will be ``"Joel is a slug"``.
+.. admonition:: No safety guarantee
+
+ Note that ``striptags`` doesn't give any guarantee about its output being
+ entirely HTML safe, particularly with non valid HTML input. So **NEVER**
+ apply the ``safe`` filter to a ``striptags`` output.
+ If you are looking for something more robust, you can use the ``bleach``
+ Python library, notably its `clean`_ method.
+
+.. _clean: http://bleach.readthedocs.org/en/latest/clean.html
+
.. templatefilter:: time
time