diff options
| author | Tim Graham <timograham@gmail.com> | 2014-08-11 07:24:51 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-08-15 08:20:02 -0400 |
| commit | e122facbd89c5768528f5ba3b13552d43f989757 (patch) | |
| tree | 84f990612dffbb119a8620e1dccae10f4f76c45f /docs | |
| parent | deed00c0d803d324a3dfdeba52458b6b009c1a90 (diff) | |
Fixed #23269 -- Deprecated django.utils.remove_tags() and removetags filter.
Also the unused, undocumented django.utils.html.strip_entities() function.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/internals/deprecation.txt | 5 | ||||
| -rw-r--r-- | docs/ref/templates/builtins.txt | 7 | ||||
| -rw-r--r-- | docs/ref/utils.txt | 8 | ||||
| -rw-r--r-- | docs/releases/1.8.txt | 11 |
4 files changed, 29 insertions, 2 deletions
diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt index ed84626d3f..eca4a5f4f3 100644 --- a/docs/internals/deprecation.txt +++ b/docs/internals/deprecation.txt @@ -49,6 +49,11 @@ about each item can often be found in the release notes of two versions prior. * The backward compatible shim to rename ``django.forms.Form._has_changed()`` to ``has_changed()`` will be removed. +* The ``removetags`` template filter will be removed. + +* The ``remove_tags()`` and ``strip_entities()`` functions in + ``django.utils.html`` will be removed. + .. _deprecation-removed-in-1.9: 1.9 diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index fcda7aaa56..516ddbe1de 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -1918,6 +1918,13 @@ If ``value`` is the list ``['a', 'b', 'c', 'd']``, the output could be ``"b"``. removetags ^^^^^^^^^^ +.. deprecated:: 1.8 + + ``removetags`` cannot guarantee HTML safe output and has been deprecated due + to security concerns. Consider using `bleach`_ instead. + +.. _bleach: http://bleach.readthedocs.org/en/latest/ + Removes a space-separated list of [X]HTML tags from the output. For example:: diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt index b7e3693f59..2f2b15de35 100644 --- a/docs/ref/utils.txt +++ b/docs/ref/utils.txt @@ -630,10 +630,13 @@ escaping HTML. If you are looking for a more robust solution, take a look at the `bleach`_ Python library. - .. _bleach: https://pypi.python.org/pypi/bleach - .. function:: remove_tags(value, tags) + .. deprecated:: 1.8 + + ``remove_tags()`` cannot guarantee HTML safe output and has been + deprecated due to security concerns. Consider using `bleach`_ instead. + Removes a space-separated list of [X]HTML tag names from the output. Absolutely NO guarantee is provided about the resulting string being HTML @@ -656,6 +659,7 @@ escaping HTML. the return value will be ``"<B>Joel</B> <button>is</button> a slug"``. .. _str.format: http://docs.python.org/library/stdtypes.html#str.format +.. _bleach: https://pypi.python.org/pypi/bleach ``django.utils.http`` ===================== diff --git a/docs/releases/1.8.txt b/docs/releases/1.8.txt index 9b013c676c..22faffd330 100644 --- a/docs/releases/1.8.txt +++ b/docs/releases/1.8.txt @@ -682,3 +682,14 @@ Using the new syntax, this becomes:: Rename this method to :meth:`~django.forms.Field.has_changed` by removing the leading underscore. The old name will still work until Django 2.0. + +``django.utils.html.remove_tags()`` and ``removetags`` template filter +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +``django.utils.html.remove_tags()`` as well as the template filter +``removetags`` have been deprecated as they cannot guarantee safe output. Their +existence is likely to lead to their use in security-sensitive contexts where +they are not actually safe. + +The unused and undocumented ``django.utils.html.strip_entities()`` function has +also been deprecated. |
