diff options
| author | Claude Paroz <claude@2xlibre.net> | 2014-03-20 16:50:50 +0100 |
|---|---|---|
| committer | Claude Paroz <claude@2xlibre.net> | 2014-03-22 11:01:14 +0100 |
| commit | 80f08dbdbc1f9c8b4ed75298955016feb697c4a1 (patch) | |
| tree | dda3a74763844deb41fdf180db074d8b64d27249 /docs/ref/templates | |
| parent | 0c19383a1ffaaefe92b7b3bfaac6885525afd9a9 (diff) | |
[1.7.x] Improved strip_tags and clarified documentation
The fact that strip_tags cannot guarantee to really strip all
non-safe HTML content was not clear enough. Also see:
https://www.djangoproject.com/weblog/2014/mar/22/strip-tags-advisory/
Backport of 6ca6c36f82b from master.
Diffstat (limited to 'docs/ref/templates')
| -rw-r--r-- | docs/ref/templates/builtins.txt | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 7900e5ed70..f77c2812cb 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -2050,7 +2050,7 @@ If ``value`` is ``10``, the output will be ``1.000000E+01``. striptags ^^^^^^^^^ -Strips all [X]HTML tags. +Makes all possible efforts to strip all [X]HTML tags. For example:: @@ -2059,6 +2059,16 @@ For example:: If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"``, the output will be ``"Joel is a slug"``. +.. admonition:: No safety guarantee + + Note that ``striptags`` doesn't give any guarantee about its output being + entirely HTML safe, particularly with non valid HTML input. So **NEVER** + apply the ``safe`` filter to a ``striptags`` output. + If you are looking for something more robust, you can use the ``bleach`` + Python library, notably its `clean`_ method. + +.. _clean: http://bleach.readthedocs.org/en/latest/clean.html + .. templatefilter:: time time |
