mirror of
				https://github.com/django/django.git
				synced 2025-10-25 22:56:12 +00:00 
			
		
		
		
	Added a warning that remove_tags() output shouldn't be considered safe.
This commit is contained in:
		| @@ -1922,15 +1922,27 @@ Removes a space-separated list of [X]HTML tags from the output. | |||||||
|  |  | ||||||
| For example:: | For example:: | ||||||
|  |  | ||||||
|     {{ value|removetags:"b span"|safe }} |     {{ value|removetags:"b span" }} | ||||||
|  |  | ||||||
| If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"`` the | If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"`` the | ||||||
| output will be ``"Joel <button>is</button> a slug"``. | unescaped output will be ``"Joel <button>is</button> a slug"``. | ||||||
|  |  | ||||||
| Note that this filter is case-sensitive. | Note that this filter is case-sensitive. | ||||||
|  |  | ||||||
| If ``value`` is ``"<B>Joel</B> <button>is</button> a <span>slug</span>"`` the | If ``value`` is ``"<B>Joel</B> <button>is</button> a <span>slug</span>"`` the | ||||||
| output will be ``"<B>Joel</B> <button>is</button> a slug"``. | unescaped output will be ``"<B>Joel</B> <button>is</button> a slug"``. | ||||||
|  |  | ||||||
|  | .. admonition:: No safety guarantee | ||||||
|  |  | ||||||
|  |     Note that ``removetags`` doesn't give any guarantee about its output being | ||||||
|  |     HTML safe. In particular, it doesn't work recursively, so an input like | ||||||
|  |     ``"<sc<script>ript>alert('XSS')</sc</script>ript>"`` won't be safe even if | ||||||
|  |     you apply ``|removetags:"script"``. So if the input is user provided, | ||||||
|  |     **NEVER** apply the ``safe`` filter to a ``removetags`` output. If you are | ||||||
|  |     looking for something more robust, you can use the ``bleach`` Python | ||||||
|  |     library, notably its `clean`_ method. | ||||||
|  |  | ||||||
|  | .. _clean: http://bleach.readthedocs.org/en/latest/clean.html | ||||||
|  |  | ||||||
| .. templatefilter:: rjust | .. templatefilter:: rjust | ||||||
|  |  | ||||||
| @@ -2047,10 +2059,10 @@ output will be ``"Joel is a slug"``. | |||||||
| .. admonition:: No safety guarantee | .. admonition:: No safety guarantee | ||||||
|  |  | ||||||
|     Note that ``striptags`` doesn't give any guarantee about its output being |     Note that ``striptags`` doesn't give any guarantee about its output being | ||||||
|     entirely HTML safe, particularly with non valid HTML input. So **NEVER** |     HTML safe, particularly with non valid HTML input. So **NEVER** apply the | ||||||
|     apply the ``safe`` filter to a ``striptags`` output. |     ``safe`` filter to a ``striptags`` output. If you are looking for something | ||||||
|     If you are looking for something more robust, you can use the ``bleach`` |     more robust, you can use the ``bleach`` Python library, notably its | ||||||
|     Python library, notably its `clean`_ method. |     `clean`_ method. | ||||||
|  |  | ||||||
| .. _clean: http://bleach.readthedocs.org/en/latest/clean.html | .. _clean: http://bleach.readthedocs.org/en/latest/clean.html | ||||||
|  |  | ||||||
|   | |||||||
| @@ -615,7 +615,8 @@ escaping HTML. | |||||||
|  |  | ||||||
|     Tries to remove anything that looks like an HTML tag from the string, that |     Tries to remove anything that looks like an HTML tag from the string, that | ||||||
|     is anything contained within ``<>``. |     is anything contained within ``<>``. | ||||||
|     Absolutely NO guaranty is provided about the resulting string being entirely |  | ||||||
|  |     Absolutely NO guarantee is provided about the resulting string being | ||||||
|     HTML safe. So NEVER mark safe the result of a ``strip_tag`` call without |     HTML safe. So NEVER mark safe the result of a ``strip_tag`` call without | ||||||
|     escaping it first, for example with :func:`~django.utils.html.escape`. |     escaping it first, for example with :func:`~django.utils.html.escape`. | ||||||
|  |  | ||||||
| @@ -635,6 +636,13 @@ escaping HTML. | |||||||
|  |  | ||||||
|     Removes a space-separated list of [X]HTML tag names from the output. |     Removes a space-separated list of [X]HTML tag names from the output. | ||||||
|  |  | ||||||
|  |     Absolutely NO guarantee is provided about the resulting string being HTML | ||||||
|  |     safe. In particular, it doesn't work recursively, so the output of | ||||||
|  |     ``remove_tags("<sc<script>ript>alert('XSS')</sc</script>ript>", "script")`` | ||||||
|  |     won't remove the "nested" script tags. So if the ``value`` is untrusted, | ||||||
|  |     NEVER mark safe the result of a ``remove_tags()`` call without escaping it | ||||||
|  |     first, for example with :func:`~django.utils.html.escape`. | ||||||
|  |  | ||||||
|     For example:: |     For example:: | ||||||
|  |  | ||||||
|         remove_tags(value, "b span") |         remove_tags(value, "b span") | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user