From e122facbd89c5768528f5ba3b13552d43f989757 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Mon, 11 Aug 2014 07:24:51 -0400 Subject: Fixed #23269 -- Deprecated django.utils.remove_tags() and removetags filter. Also the unused, undocumented django.utils.html.strip_entities() function. --- docs/ref/templates/builtins.txt | 7 +++++++ docs/ref/utils.txt | 8 ++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) (limited to 'docs/ref') diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index fcda7aaa56..516ddbe1de 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -1918,6 +1918,13 @@ If ``value`` is the list ``['a', 'b', 'c', 'd']``, the output could be ``"b"``. removetags ^^^^^^^^^^ +.. deprecated:: 1.8 + + ``removetags`` cannot guarantee HTML safe output and has been deprecated due + to security concerns. Consider using `bleach`_ instead. + +.. _bleach: http://bleach.readthedocs.org/en/latest/ + Removes a space-separated list of [X]HTML tags from the output. For example:: diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt index b7e3693f59..2f2b15de35 100644 --- a/docs/ref/utils.txt +++ b/docs/ref/utils.txt @@ -630,10 +630,13 @@ escaping HTML. If you are looking for a more robust solution, take a look at the `bleach`_ Python library. - .. _bleach: https://pypi.python.org/pypi/bleach - .. function:: remove_tags(value, tags) + .. deprecated:: 1.8 + + ``remove_tags()`` cannot guarantee HTML safe output and has been + deprecated due to security concerns. Consider using `bleach`_ instead. + Removes a space-separated list of [X]HTML tag names from the output. Absolutely NO guarantee is provided about the resulting string being HTML @@ -656,6 +659,7 @@ escaping HTML. the return value will be ``"Joel a slug"``. .. _str.format: http://docs.python.org/library/stdtypes.html#str.format +.. _bleach: https://pypi.python.org/pypi/bleach ``django.utils.http`` ===================== -- cgit v1.3