summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorClaude Paroz <claude@2xlibre.net>2014-03-22 11:14:15 +0100
committerClaude Paroz <claude@2xlibre.net>2014-03-22 11:14:15 +0100
commit468d06077a33d35c9f8f0bc83b17377ea501bacd (patch)
treeb08ce760623df9946ef62032ab3d6264f3c15cb8 /docs/ref
parentb86ff4ee82b1dddea7179d72ee3368cb8962cbc6 (diff)
[1.5.x] Clarified strip_tags documentation
The fact that strip_tags cannot guarantee to really strip all non-safe HTML content was not clear enough. Also see: https://www.djangoproject.com/weblog/2014/mar/22/strip-tags-advisory/ Partial backport (doc-only) of 6ca6c36f82 from master.
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/templates/builtins.txt12
-rw-r--r--docs/ref/utils.txt16
2 files changed, 23 insertions, 5 deletions
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
index befcff4e41..02177eb12b 100644
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -1944,7 +1944,7 @@ If ``value`` is ``10``, the output will be ``1.000000E+01``.
striptags
^^^^^^^^^
-Strips all [X]HTML tags.
+Makes all possible efforts to strip all [X]HTML tags.
For example::
@@ -1953,6 +1953,16 @@ For example::
If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"``, the
output will be ``"Joel is a slug"``.
+.. admonition:: No safety guarantee
+
+ Note that ``striptags`` doesn't give any guarantee about its output being
+ entirely HTML safe, particularly with non valid HTML input. So **NEVER**
+ apply the ``safe`` filter to a ``striptags`` output.
+ If you are looking for something more robust, you can use the ``bleach``
+ Python library, notably its `clean`_ method.
+
+.. _clean: http://bleach.readthedocs.org/en/latest/clean.html
+
.. templatefilter:: time
time
diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt
index 2c4529adcd..d489545906 100644
--- a/docs/ref/utils.txt
+++ b/docs/ref/utils.txt
@@ -616,15 +616,23 @@ escaping HTML.
.. function:: strip_tags(value)
- Removes anything that looks like an html tag from the string, that is
- anything contained within ``<>``.
+ Tries to remove anything that looks like an HTML tag from the string, that
+ is anything contained within ``<>``.
+ Absolutely NO guaranty is provided about the resulting string being entirely
+ HTML safe. So NEVER mark safe the result of a ``strip_tag`` call without
+ escaping it first, for example with :func:`~django.utils.html.escape`.
For example::
strip_tags(value)
- If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"`` the
- return value will be ``"Joel is a slug"``.
+ If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"``
+ the return value will be ``"Joel is a slug"``.
+
+ If you are looking for a more robust solution, take a look at the `bleach`_
+ Python library.
+
+ .. _bleach: https://pypi.python.org/pypi/bleach
.. function:: remove_tags(value, tags)