diff options
| author | Tim Graham <timograham@gmail.com> | 2014-08-07 09:20:59 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-08-11 07:11:30 -0400 |
| commit | 88cb7aa6aa2272b02aa3914111083c4cd3094f1b (patch) | |
| tree | a59dcc423f2bcbe0a70d7f223d80c660f168dd49 | |
| parent | 399052d224143c3dbd7e7bbbff14ff577881c669 (diff) | |
[1.4.x] Added a warning that remove_tags() output shouldn't be considered safe.
Backport of 7efce77de2 from master
| -rw-r--r-- | docs/ref/templates/builtins.txt | 26 |
1 files changed, 19 insertions, 7 deletions
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index e2734c9747..4b1a6be7cf 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -1875,15 +1875,27 @@ Removes a space-separated list of [X]HTML tags from the output. For example:: - {{ value|removetags:"b span"|safe }} + {{ value|removetags:"b span" }} If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"`` the -output will be ``"Joel <button>is</button> a slug"``. +unescaped output will be ``"Joel <button>is</button> a slug"``. Note that this filter is case-sensitive. If ``value`` is ``"<B>Joel</B> <button>is</button> a <span>slug</span>"`` the -output will be ``"<B>Joel</B> <button>is</button> a slug"``. +unescaped output will be ``"<B>Joel</B> <button>is</button> a slug"``. + +.. admonition:: No safety guarantee + + Note that ``removetags`` doesn't give any guarantee about its output being + HTML safe. In particular, it doesn't work recursively, so an input like + ``"<sc<script>ript>alert('XSS')</sc</script>ript>"`` won't be safe even if + you apply ``|removetags:"script"``. So if the input is user provided, + **NEVER** apply the ``safe`` filter to a ``removetags`` output. If you are + looking for something more robust, you can use the ``bleach`` Python + library, notably its `clean`_ method. + +.. _clean: http://bleach.readthedocs.org/en/latest/clean.html .. templatefilter:: rjust @@ -2000,10 +2012,10 @@ output will be ``"Joel is a slug"``. .. admonition:: No safety guarantee Note that ``striptags`` doesn't give any guarantee about its output being - entirely HTML safe, particularly with non valid HTML input. So **NEVER** - apply the ``safe`` filter to a ``striptags`` output. - If you are looking for something more robust, you can use the ``bleach`` - Python library, notably its `clean`_ method. + HTML safe, particularly with non valid HTML input. So **NEVER** apply the + ``safe`` filter to a ``striptags`` output. If you are looking for something + more robust, you can use the ``bleach`` Python library, notably its + `clean`_ method. .. _clean: http://bleach.readthedocs.org/en/latest/clean.html |