summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/internals/deprecation.txt5
-rw-r--r--docs/ref/templates/builtins.txt7
-rw-r--r--docs/ref/utils.txt8
-rw-r--r--docs/releases/1.8.txt11
4 files changed, 29 insertions, 2 deletions
diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt
index ed84626d3f..eca4a5f4f3 100644
--- a/docs/internals/deprecation.txt
+++ b/docs/internals/deprecation.txt
@@ -49,6 +49,11 @@ about each item can often be found in the release notes of two versions prior.
* The backward compatible shim to rename ``django.forms.Form._has_changed()``
to ``has_changed()`` will be removed.
+* The ``removetags`` template filter will be removed.
+
+* The ``remove_tags()`` and ``strip_entities()`` functions in
+ ``django.utils.html`` will be removed.
+
.. _deprecation-removed-in-1.9:
1.9
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
index fcda7aaa56..516ddbe1de 100644
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -1918,6 +1918,13 @@ If ``value`` is the list ``['a', 'b', 'c', 'd']``, the output could be ``"b"``.
removetags
^^^^^^^^^^
+.. deprecated:: 1.8
+
+ ``removetags`` cannot guarantee HTML safe output and has been deprecated due
+ to security concerns. Consider using `bleach`_ instead.
+
+.. _bleach: http://bleach.readthedocs.org/en/latest/
+
Removes a space-separated list of [X]HTML tags from the output.
For example::
diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt
index b7e3693f59..2f2b15de35 100644
--- a/docs/ref/utils.txt
+++ b/docs/ref/utils.txt
@@ -630,10 +630,13 @@ escaping HTML.
If you are looking for a more robust solution, take a look at the `bleach`_
Python library.
- .. _bleach: https://pypi.python.org/pypi/bleach
-
.. function:: remove_tags(value, tags)
+ .. deprecated:: 1.8
+
+ ``remove_tags()`` cannot guarantee HTML safe output and has been
+ deprecated due to security concerns. Consider using `bleach`_ instead.
+
Removes a space-separated list of [X]HTML tag names from the output.
Absolutely NO guarantee is provided about the resulting string being HTML
@@ -656,6 +659,7 @@ escaping HTML.
the return value will be ``"<B>Joel</B> <button>is</button> a slug"``.
.. _str.format: http://docs.python.org/library/stdtypes.html#str.format
+.. _bleach: https://pypi.python.org/pypi/bleach
``django.utils.http``
=====================
diff --git a/docs/releases/1.8.txt b/docs/releases/1.8.txt
index 9b013c676c..22faffd330 100644
--- a/docs/releases/1.8.txt
+++ b/docs/releases/1.8.txt
@@ -682,3 +682,14 @@ Using the new syntax, this becomes::
Rename this method to :meth:`~django.forms.Field.has_changed` by removing the
leading underscore. The old name will still work until Django 2.0.
+
+``django.utils.html.remove_tags()`` and ``removetags`` template filter
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+``django.utils.html.remove_tags()`` as well as the template filter
+``removetags`` have been deprecated as they cannot guarantee safe output. Their
+existence is likely to lead to their use in security-sensitive contexts where
+they are not actually safe.
+
+The unused and undocumented ``django.utils.html.strip_entities()`` function has
+also been deprecated.