| Age | Commit message (Collapse) | Author |
|
django.utils.html.json_script().
|
|
|
|
|
|
|
|
filter.
Added versionchanged note in documentation
|
|
urlize().
|
|
strip_tags() when handling incomplete HTML entities.
Thanks to Guido Vranken for initial report.
|
|
html.escape()/unescape().
|
|
|
|
|
|
|
|
|
|
urlizetrunc template filters.
Thanks Florian Apolloner for assisting with the patch.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
These functions do nothing on Python 3.
|
|
|
|
Thanks Tim Graham for the review.
|
|
|
|
|
|
Thanks to bmispelon and uruz for the initial patch.
|
|
deprecation timeline.
|
|
|
|
Forwardport of ae1d663b7913f6da233c55409c4973248372d302
from stable/1.8.x plus more.
|
|
templates.
|
|
This is a security fix; disclosure to follow shortly.
|
|
|
|
|
|
Since Python 2.7 and 3.1, "{0} {1}" is equivalent to "{} {}".
|
|
Refs #22267.
|
|
Thanks Md. Enzam Hossain for the report and initial patch, and
Tim Graham for the review.
|
|
Also the unused, undocumented django.utils.html.strip_entities() function.
|
|
|
|
The fact that strip_tags cannot guarantee to really strip all
non-safe HTML content was not clear enough. Also see:
https://www.djangoproject.com/weblog/2014/mar/22/strip-tags-advisory/
|
|
Also removed related utility functions:
* django.utils.html.fix_ampersands
* django.utils.html.clean_html
|
|
Thanks Anssi Kääriäinen for the idea and Simon Charette for the
review.
|
|
|
|
|
|
|
|
The idea is that if an object implements __html__ which returns a string this is
used as HTML representation (eg: on escaping). If the object is a str or unicode
subclass and returns itself the object is a safe string type.
This is an updated patch based on jbalogh and ivank patches.
|
|
|
|
Refs #20680.
|
|
|
|
The regex method used until now for the strip_tags utility is fast,
but subject to flaws and security issues. Consensus and good
practice lead use to use a slower but safer method.
|