diff options
| author | Tim Graham <timograham@gmail.com> | 2014-08-07 09:20:59 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-08-11 07:09:56 -0400 |
| commit | 00ec30d3c43ff2be0bb4d0ff14310d67475503c8 (patch) | |
| tree | 1fcabfb068569086cfa5b4177a5a14f3b6b30c01 /docs/ref/utils.txt | |
| parent | 5d6e4031dff26c3df32712e5037037a7c71a81ea (diff) | |
[1.5.x] Added a warning that remove_tags() output shouldn't be considered safe.
Backport of 7efce77de2 from master
Diffstat (limited to 'docs/ref/utils.txt')
| -rw-r--r-- | docs/ref/utils.txt | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt index d489545906..4f338be06b 100644 --- a/docs/ref/utils.txt +++ b/docs/ref/utils.txt @@ -618,7 +618,8 @@ escaping HTML. Tries to remove anything that looks like an HTML tag from the string, that is anything contained within ``<>``. - Absolutely NO guaranty is provided about the resulting string being entirely + + Absolutely NO guarantee is provided about the resulting string being HTML safe. So NEVER mark safe the result of a ``strip_tag`` call without escaping it first, for example with :func:`~django.utils.html.escape`. @@ -638,6 +639,13 @@ escaping HTML. Removes a space-separated list of [X]HTML tag names from the output. + Absolutely NO guarantee is provided about the resulting string being HTML + safe. In particular, it doesn't work recursively, so the output of + ``remove_tags("<sc<script>ript>alert('XSS')</sc</script>ript>", "script")`` + won't remove the "nested" script tags. So if the ``value`` is untrusted, + NEVER mark safe the result of a ``remove_tags()`` call without escaping it + first, for example with :func:`~django.utils.html.escape`. + For example:: remove_tags(value, "b span") |
