mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

[1.5.x] Added a warning that remove_tags() output shouldn't be considered safe.

Browse Source 
Backport of 7efce77de2 from master
This commit is contained in:
Tim Graham
2014-08-07 09:20:59 -04:00
parent 5d6e4031df
commit 00ec30d3c4
2 changed files with 28 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
docs/ref/templates/builtins.txt
View File

@@ -1831,15 +1831,27 @@ Removes a space-separated list of [X]HTML tags from the output.
For example::
{{ value|removetags:"b span"|safe }}
{{ value|removetags:"b span" }}
If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"`` the
output will be ``"Joel <button>is</button> a slug"``.
unescaped output will be ``"Joel <button>is</button> a slug"``.
Note that this filter is case-sensitive.
If ``value`` is ``"<B>Joel</B> <button>is</button> a <span>slug</span>"`` the
output will be ``"<B>Joel</B> <button>is</button> a slug"``.
unescaped output will be ``"<B>Joel</B> <button>is</button> a slug"``.
.. admonition:: No safety guarantee
Note that ``removetags`` doesn't give any guarantee about its output being
HTML safe. In particular, it doesn't work recursively, so an input like
``"<sc<script>ript>alert('XSS')</sc</script>ript>"`` won't be safe even if
you apply ``|removetags:"script"``. So if the input is user provided,
**NEVER** apply the ``safe`` filter to a ``removetags`` output. If you are
looking for something more robust, you can use the ``bleach`` Python
library, notably its `clean`_ method.
.. _clean: http://bleach.readthedocs.org/en/latest/clean.html
.. templatefilter:: rjust
@@ -1956,10 +1968,10 @@ output will be ``"Joel is a slug"``.
.. admonition:: No safety guarantee
Note that ``striptags`` doesn't give any guarantee about its output being
entirely HTML safe, particularly with non valid HTML input. So **NEVER**
apply the ``safe`` filter to a ``striptags`` output.
If you are looking for something more robust, you can use the ``bleach``
Python library, notably its `clean`_ method.
HTML safe, particularly with non valid HTML input. So **NEVER** apply the
``safe`` filter to a ``striptags`` output. If you are looking for something
more robust, you can use the ``bleach`` Python library, notably its
`clean`_ method.
.. _clean: http://bleach.readthedocs.org/en/latest/clean.html

10
docs/ref/utils.txt
View File

@@ -618,7 +618,8 @@ escaping HTML.
Tries to remove anything that looks like an HTML tag from the string, that
is anything contained within ``<>``.
Absolutely NO guaranty is provided about the resulting string being entirely
Absolutely NO guarantee is provided about the resulting string being
HTML safe. So NEVER mark safe the result of a ``strip_tag`` call without
escaping it first, for example with :func:`~django.utils.html.escape`.
@@ -638,6 +639,13 @@ escaping HTML.
Removes a space-separated list of [X]HTML tag names from the output.
Absolutely NO guarantee is provided about the resulting string being HTML
safe. In particular, it doesn't work recursively, so the output of
``remove_tags("<sc<script>ript>alert('XSS')</sc</script>ript>", "script")``
won't remove the "nested" script tags. So if the ``value`` is untrusted,
NEVER mark safe the result of a ``remove_tags()`` call without escaping it
first, for example with :func:`~django.utils.html.escape`.
For example::
remove_tags(value, "b span")