Refs #23269 -- Removed the removetags template tag and related functions per deprecation timeline.

2025-07-24 05:36:15 +00:00 · 2015-08-18 10:09:17 -04:00 · 2015-08-18 10:09:17 -04:00 · 222d063301
commit 222d063301
parent 785cc71d5b
7 changed files with 7 additions and 189 deletions
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@ -1866,44 +1866,6 @@ For example::

 If ``value`` is the list ``['a', 'b', 'c', 'd']``, the output could be ``"b"``.

-.. templatefilter:: removetags
-
-removetags
-^^^^^^^^^^
-
-.. deprecated:: 1.8
-
-    ``removetags`` cannot guarantee HTML safe output and has been deprecated due
-    to security concerns. Consider using `bleach`_ instead.
-
-.. _bleach: http://bleach.readthedocs.org/en/latest/
-
-Removes a space-separated list of [X]HTML tags from the output.
-
-For example::
-
-    {{ value|removetags:"b span" }}
-
-If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"`` the
-unescaped output will be ``"Joel <button>is</button> a slug"``.
-
-Note that this filter is case-sensitive.
-
-If ``value`` is ``"<B>Joel</B> <button>is</button> a <span>slug</span>"`` the
-unescaped output will be ``"<B>Joel</B> <button>is</button> a slug"``.
-
-.. admonition:: No safety guarantee
-
-    Note that ``removetags`` doesn't give any guarantee about its output being
-    HTML safe. In particular, it doesn't work recursively, so an input like
-    ``"<sc<script>ript>alert('XSS')</sc</script>ript>"`` won't be safe even if
-    you apply ``|removetags:"script"``. So if the input is user provided,
-    **NEVER** apply the ``safe`` filter to a ``removetags`` output. If you are
-    looking for something more robust, you can use the ``bleach`` Python
-    library, notably its `clean`_ method.
-
-.. _clean: http://bleach.readthedocs.org/en/latest/clean.html
-
 .. templatefilter:: rjust

 rjust
--- a/docs/ref/utils.txt
+++ b/docs/ref/utils.txt
@ -621,6 +621,8 @@ escaping HTML.
    through :func:`conditional_escape` which (ultimately) calls
    :func:`~django.utils.encoding.force_text` on the values.

+    .. _str.format: https://docs.python.org/library/stdtypes.html#str.format
+
 .. function:: format_html_join(sep, format_string, args_generator)

    A wrapper of :func:`format_html`, for the common case of a group of
@ -650,39 +652,8 @@ escaping HTML.
    If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"``
    the return value will be ``"Joel is a slug"``.

-    If you are looking for a more robust solution, take a look at the `bleach`_
-    Python library.
-
-.. function:: remove_tags(value, tags)
-
-    .. deprecated:: 1.8
-
-        ``remove_tags()`` cannot guarantee HTML safe output and has been
-        deprecated due to security concerns. Consider using `bleach`_ instead.
-
-    Removes a space-separated list of [X]HTML tag names from the output.
-
-    Absolutely NO guarantee is provided about the resulting string being HTML
-    safe. In particular, it doesn't work recursively, so the output of
-    ``remove_tags("<sc<script>ript>alert('XSS')</sc</script>ript>", "script")``
-    won't remove the "nested" script tags. So if the ``value`` is untrusted,
-    NEVER mark safe the result of a ``remove_tags()`` call without escaping it
-    first, for example with :func:`~django.utils.html.escape`.
-
-    For example::
-
-        remove_tags(value, "b span")
-
-    If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"``
-    the return value will be ``"Joel <button>is</button> a slug"``.
-
-    Note that this filter is case-sensitive.
-
-    If ``value`` is ``"<B>Joel</B> <button>is</button> a <span>slug</span>"``
-    the return value will be ``"<B>Joel</B> <button>is</button> a slug"``.
-
-.. _str.format: https://docs.python.org/library/stdtypes.html#str.format
-.. _bleach: https://pypi.python.org/pypi/bleach
+    If you are looking for a more robust solution, take a look at the `bleach
+    <https://pypi.python.org/pypi/bleach>`_ Python library.

 .. function:: html_safe()

--- a/docs/releases/1.5.txt
+++ b/docs/releases/1.5.txt
@ -671,7 +671,7 @@ Miscellaneous

 * The ``slugify`` template filter is now available as a standard python
  function at :func:`django.utils.text.slugify`. Similarly, ``remove_tags`` is
-  available at :func:`django.utils.html.remove_tags`.
+  available at ``django.utils.html.remove_tags()``.

 * Uploaded files are no longer created as executable by default. If you need
  them to be executable change :setting:`FILE_UPLOAD_PERMISSIONS` to your