summaryrefslogtreecommitdiff
path: root/docs/ref/utils.txt
diff options
context:
space:
mode:
authorClaude Paroz <claude@2xlibre.net>2014-03-20 16:50:50 +0100
committerClaude Paroz <claude@2xlibre.net>2014-03-22 11:01:14 +0100
commit80f08dbdbc1f9c8b4ed75298955016feb697c4a1 (patch)
treedda3a74763844deb41fdf180db074d8b64d27249 /docs/ref/utils.txt
parent0c19383a1ffaaefe92b7b3bfaac6885525afd9a9 (diff)
[1.7.x] Improved strip_tags and clarified documentation
The fact that strip_tags cannot guarantee to really strip all non-safe HTML content was not clear enough. Also see: https://www.djangoproject.com/weblog/2014/mar/22/strip-tags-advisory/ Backport of 6ca6c36f82b from master.
Diffstat (limited to 'docs/ref/utils.txt')
-rw-r--r--docs/ref/utils.txt16
1 files changed, 11 insertions, 5 deletions
diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt
index ea6bffce34..5515c01a20 100644
--- a/docs/ref/utils.txt
+++ b/docs/ref/utils.txt
@@ -595,17 +595,23 @@ escaping HTML.
.. function:: strip_tags(value)
- Removes anything that looks like an html tag from the string, that is
- anything contained within ``<>``.
+ Tries to remove anything that looks like an HTML tag from the string, that
+ is anything contained within ``<>``.
+ Absolutely NO guaranty is provided about the resulting string being entirely
+ HTML safe. So NEVER mark safe the result of a ``strip_tag`` call without
+ escaping it first, for example with :func:`~django.utils.html.escape`.
For example::
strip_tags(value)
If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"``
- the return value will be ``"Joel is a slug"``. Note that ``strip_tags``
- result may still contain unsafe HTML content, so you might use
- :func:`~django.utils.html.escape` to make it a safe string.
+ the return value will be ``"Joel is a slug"``.
+
+ If you are looking for a more robust solution, take a look at the `bleach`_
+ Python library.
+
+ .. _bleach: https://pypi.python.org/pypi/bleach
.. versionchanged:: 1.6