summaryrefslogtreecommitdiff
path: root/docs/ref/utils.txt
diff options
context:
space:
mode:
Diffstat (limited to 'docs/ref/utils.txt')
-rw-r--r--docs/ref/utils.txt10
1 files changed, 9 insertions, 1 deletions
diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt
index d489545906..4f338be06b 100644
--- a/docs/ref/utils.txt
+++ b/docs/ref/utils.txt
@@ -618,7 +618,8 @@ escaping HTML.
Tries to remove anything that looks like an HTML tag from the string, that
is anything contained within ``<>``.
- Absolutely NO guaranty is provided about the resulting string being entirely
+
+ Absolutely NO guarantee is provided about the resulting string being
HTML safe. So NEVER mark safe the result of a ``strip_tag`` call without
escaping it first, for example with :func:`~django.utils.html.escape`.
@@ -638,6 +639,13 @@ escaping HTML.
Removes a space-separated list of [X]HTML tag names from the output.
+ Absolutely NO guarantee is provided about the resulting string being HTML
+ safe. In particular, it doesn't work recursively, so the output of
+ ``remove_tags("<sc<script>ript>alert('XSS')</sc</script>ript>", "script")``
+ won't remove the "nested" script tags. So if the ``value`` is untrusted,
+ NEVER mark safe the result of a ``remove_tags()`` call without escaping it
+ first, for example with :func:`~django.utils.html.escape`.
+
For example::
remove_tags(value, "b span")