mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-30 17:16:10 +00:00
Code Issues 32 Releases Wiki Activity

[1.5.x] Clarified strip_tags documentation

Browse Source 
The fact that strip_tags cannot guarantee to really strip all
non-safe HTML content was not clear enough. Also see:
https://www.djangoproject.com/weblog/2014/mar/22/strip-tags-advisory/

Partial backport (doc-only) of 6ca6c36f82 from master.
This commit is contained in:
Claude Paroz
2014-03-22 11:14:15 +01:00
parent b86ff4ee82
commit 468d06077a
2 changed files with 23 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
docs/ref/templates/builtins.txt
View File

@@ -1944,7 +1944,7 @@ If ``value`` is ``10``, the output will be ``1.000000E+01``.
striptags striptags
^^^^^^^^^ ^^^^^^^^^
Strips all [X]HTML tags. Makes all possible efforts to strip all [X]HTML tags.
For example:: For example::
@@ -1953,6 +1953,16 @@ For example::
If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"``, the If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"``, the
output will be ``"Joel is a slug"``. output will be ``"Joel is a slug"``.
.. admonition:: No safety guarantee
Note that ``striptags`` doesn't give any guarantee about its output being
entirely HTML safe, particularly with non valid HTML input. So **NEVER**
apply the ``safe`` filter to a ``striptags`` output.
If you are looking for something more robust, you can use the ``bleach``
Python library, notably its `clean`_ method.
.. _clean: http://bleach.readthedocs.org/en/latest/clean.html
.. templatefilter:: time .. templatefilter:: time
time time

16
docs/ref/utils.txt
View File

@@ -616,15 +616,23 @@ escaping HTML.
.. function:: strip_tags(value) .. function:: strip_tags(value)
Removes anything that looks like an html tag from the string, that is Tries to remove anything that looks like an HTML tag from the string, that
anything contained within ``<>``. is anything contained within ``<>``.
Absolutely NO guaranty is provided about the resulting string being entirely
HTML safe. So NEVER mark safe the result of a ``strip_tag`` call without
escaping it first, for example with :func:`~django.utils.html.escape`.
For example:: For example::
strip_tags(value) strip_tags(value)
If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"`` the If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"``
return value will be ``"Joel is a slug"``. the return value will be ``"Joel is a slug"``.
If you are looking for a more robust solution, take a look at the `bleach`_
Python library.
.. _bleach: https://pypi.python.org/pypi/bleach
.. function:: remove_tags(value, tags) .. function:: remove_tags(value, tags)