From 222d0633010e2f37f9fbd2d0559ecc4a5643c738 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Tue, 18 Aug 2015 10:09:17 -0400 Subject: Refs #23269 -- Removed the removetags template tag and related functions per deprecation timeline. --- docs/ref/templates/builtins.txt | 38 -------------------------------------- docs/ref/utils.txt | 37 ++++--------------------------------- docs/releases/1.5.txt | 2 +- 3 files changed, 5 insertions(+), 72 deletions(-) (limited to 'docs') diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 9bf22e4740..1623ff357b 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -1866,44 +1866,6 @@ For example:: If ``value`` is the list ``['a', 'b', 'c', 'd']``, the output could be ``"b"``. -.. templatefilter:: removetags - -removetags -^^^^^^^^^^ - -.. deprecated:: 1.8 - - ``removetags`` cannot guarantee HTML safe output and has been deprecated due - to security concerns. Consider using `bleach`_ instead. - -.. _bleach: http://bleach.readthedocs.org/en/latest/ - -Removes a space-separated list of [X]HTML tags from the output. - -For example:: - - {{ value|removetags:"b span" }} - -If ``value`` is ``"Joel a slug"`` the -unescaped output will be ``"Joel a slug"``. - -Note that this filter is case-sensitive. - -If ``value`` is ``"Joel a slug"`` the -unescaped output will be ``"Joel a slug"``. - -.. admonition:: No safety guarantee - - Note that ``removetags`` doesn't give any guarantee about its output being - HTML safe. In particular, it doesn't work recursively, so an input like - ``"ript>alert('XSS')ript>"`` won't be safe even if - you apply ``|removetags:"script"``. So if the input is user provided, - **NEVER** apply the ``safe`` filter to a ``removetags`` output. If you are - looking for something more robust, you can use the ``bleach`` Python - library, notably its `clean`_ method. - -.. _clean: http://bleach.readthedocs.org/en/latest/clean.html - .. templatefilter:: rjust rjust diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt index c24551b9ec..6843c8c9ce 100644 --- a/docs/ref/utils.txt +++ b/docs/ref/utils.txt @@ -621,6 +621,8 @@ escaping HTML. through :func:`conditional_escape` which (ultimately) calls :func:`~django.utils.encoding.force_text` on the values. + .. _str.format: https://docs.python.org/library/stdtypes.html#str.format + .. function:: format_html_join(sep, format_string, args_generator) A wrapper of :func:`format_html`, for the common case of a group of @@ -650,39 +652,8 @@ escaping HTML. If ``value`` is ``"Joel a slug"`` the return value will be ``"Joel is a slug"``. - If you are looking for a more robust solution, take a look at the `bleach`_ - Python library. - -.. function:: remove_tags(value, tags) - - .. deprecated:: 1.8 - - ``remove_tags()`` cannot guarantee HTML safe output and has been - deprecated due to security concerns. Consider using `bleach`_ instead. - - Removes a space-separated list of [X]HTML tag names from the output. - - Absolutely NO guarantee is provided about the resulting string being HTML - safe. In particular, it doesn't work recursively, so the output of - ``remove_tags("ript>alert('XSS')ript>", "script")`` - won't remove the "nested" script tags. So if the ``value`` is untrusted, - NEVER mark safe the result of a ``remove_tags()`` call without escaping it - first, for example with :func:`~django.utils.html.escape`. - - For example:: - - remove_tags(value, "b span") - - If ``value`` is ``"Joel a slug"`` - the return value will be ``"Joel a slug"``. - - Note that this filter is case-sensitive. - - If ``value`` is ``"Joel a slug"`` - the return value will be ``"Joel a slug"``. - -.. _str.format: https://docs.python.org/library/stdtypes.html#str.format -.. _bleach: https://pypi.python.org/pypi/bleach + If you are looking for a more robust solution, take a look at the `bleach + `_ Python library. .. function:: html_safe() diff --git a/docs/releases/1.5.txt b/docs/releases/1.5.txt index 6c861a5359..dc42ddbf66 100644 --- a/docs/releases/1.5.txt +++ b/docs/releases/1.5.txt @@ -671,7 +671,7 @@ Miscellaneous * The ``slugify`` template filter is now available as a standard python function at :func:`django.utils.text.slugify`. Similarly, ``remove_tags`` is - available at :func:`django.utils.html.remove_tags`. + available at ``django.utils.html.remove_tags()``. * Uploaded files are no longer created as executable by default. If you need them to be executable change :setting:`FILE_UPLOAD_PERMISSIONS` to your -- cgit v1.3