From d1503afd66ca8f2f8d3819ba8a60727e0ee66cec Mon Sep 17 00:00:00 2001 From: Claude Paroz Date: Thu, 20 Mar 2014 16:50:50 +0100 Subject: [1.6.x] Improved strip_tags and clarified documentation The fact that strip_tags cannot guarantee to really strip all non-safe HTML content was not clear enough. Also see: https://www.djangoproject.com/weblog/2014/mar/22/strip-tags-advisory/ Backport of 6ca6c36f8 from master. --- docs/ref/templates/builtins.txt | 12 +++++++++++- docs/ref/utils.txt | 18 ++++++++++++------ 2 files changed, 23 insertions(+), 7 deletions(-) (limited to 'docs') diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 62568df2eb..6d6c159fe3 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -2012,7 +2012,7 @@ If ``value`` is ``10``, the output will be ``1.000000E+01``. striptags ^^^^^^^^^ -Strips all [X]HTML tags. +Makes all possible efforts to strip all [X]HTML tags. For example:: @@ -2021,6 +2021,16 @@ For example:: If ``value`` is ``"Joel a slug"``, the output will be ``"Joel is a slug"``. +.. admonition:: No safety guarantee + + Note that ``striptags`` doesn't give any guarantee about its output being + entirely HTML safe, particularly with non valid HTML input. So **NEVER** + apply the ``safe`` filter to a ``striptags`` output. + If you are looking for something more robust, you can use the ``bleach`` + Python library, notably its `clean`_ method. + +.. _clean: http://bleach.readthedocs.org/en/latest/clean.html + .. templatefilter:: time time diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt index c75f38566a..107f6fd591 100644 --- a/docs/ref/utils.txt +++ b/docs/ref/utils.txt @@ -616,17 +616,23 @@ escaping HTML. .. function:: strip_tags(value) - Removes anything that looks like an html tag from the string, that is - anything contained within ``<>``. + Tries to remove anything that looks like an HTML tag from the string, that + is anything contained within ``<>``. + Absolutely NO guaranty is provided about the resulting string being entirely + HTML safe. So NEVER mark safe the result of a ``strip_tag`` call without + escaping it first, for example with :func:`~django.utils.html.escape`. For example:: strip_tags(value) - If ``value`` is ``"Joel a slug"`` the - return value will be ``"Joel is a slug"``. Note that ``strip_tags`` result - may still contain unsafe HTML content, so you might use - :func:`~django.utils.html.escape` to make it a safe string. + If ``value`` is ``"Joel a slug"`` + the return value will be ``"Joel is a slug"``. + + If you are looking for a more robust solution, take a look at the `bleach`_ + Python library. + + .. _bleach: https://pypi.python.org/pypi/bleach .. versionchanged:: 1.6 -- cgit v1.3