From 00ec30d3c43ff2be0bb4d0ff14310d67475503c8 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Thu, 7 Aug 2014 09:20:59 -0400 Subject: [1.5.x] Added a warning that remove_tags() output shouldn't be considered safe. Backport of 7efce77de2 from master --- docs/ref/utils.txt | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'docs/ref/utils.txt') diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt index d489545906..4f338be06b 100644 --- a/docs/ref/utils.txt +++ b/docs/ref/utils.txt @@ -618,7 +618,8 @@ escaping HTML. Tries to remove anything that looks like an HTML tag from the string, that is anything contained within ``<>``. - Absolutely NO guaranty is provided about the resulting string being entirely + + Absolutely NO guarantee is provided about the resulting string being HTML safe. So NEVER mark safe the result of a ``strip_tag`` call without escaping it first, for example with :func:`~django.utils.html.escape`. @@ -638,6 +639,13 @@ escaping HTML. Removes a space-separated list of [X]HTML tag names from the output. + Absolutely NO guarantee is provided about the resulting string being HTML + safe. In particular, it doesn't work recursively, so the output of + ``remove_tags("ript>alert('XSS')ript>", "script")`` + won't remove the "nested" script tags. So if the ``value`` is untrusted, + NEVER mark safe the result of a ``remove_tags()`` call without escaping it + first, for example with :func:`~django.utils.html.escape`. + For example:: remove_tags(value, "b span") -- cgit v1.3