mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-08-04 19:08:28 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Improved strip_tags and clarified documentation

Browse source 
The fact that strip_tags cannot guarantee to really strip all
non-safe HTML content was not clear enough. Also see:
https://www.djangoproject.com/weblog/2014/mar/22/strip-tags-advisory/
This commit is contained in:
Claude Paroz 2014-03-20 16:50:50 +01:00
parent aaa2110259
commit 6ca6c36f82
4 changed files with 51 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

12
docs/ref/templates/builtins.txt
View file

@ -1985,7 +1985,7 @@ If ``value`` is ``10``, the output will be ``1.000000E+01``.
striptags
^^^^^^^^^
Strips all [X]HTML tags.
Makes all possible efforts to strip all [X]HTML tags.
For example::
@ -1994,6 +1994,16 @@ For example::
If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"``, the
output will be ``"Joel is a slug"``.
.. admonition:: No safety guarantee
Note that ``striptags`` doesn't give any guarantee about its output being
entirely HTML safe, particularly with non valid HTML input. So **NEVER**
apply the ``safe`` filter to a ``striptags`` output.
If you are looking for something more robust, you can use the ``bleach``
Python library, notably its `clean`_ method.
.. _clean: http://bleach.readthedocs.org/en/latest/clean.html
.. templatefilter:: time
time