mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-08-04 10:59:45 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Added a warning that remove_tags() output shouldn't be considered safe.

Browse source
This commit is contained in:
Tim Graham 2014-08-07 09:20:59 -04:00
parent c2d3f18874
commit 7efce77de2
2 changed files with 28 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

10
docs/ref/utils.txt
View file

@ -615,7 +615,8 @@ escaping HTML.
Tries to remove anything that looks like an HTML tag from the string, that
is anything contained within ``<>``.
Absolutely NO guaranty is provided about the resulting string being entirely
Absolutely NO guarantee is provided about the resulting string being
HTML safe. So NEVER mark safe the result of a ``strip_tag`` call without
escaping it first, for example with :func:`~django.utils.html.escape`.
@ -635,6 +636,13 @@ escaping HTML.
Removes a space-separated list of [X]HTML tag names from the output.
Absolutely NO guarantee is provided about the resulting string being HTML
safe. In particular, it doesn't work recursively, so the output of
``remove_tags("<sc<script>ript>alert('XSS')</sc</script>ript>", "script")``
won't remove the "nested" script tags. So if the ``value`` is untrusted,
NEVER mark safe the result of a ``remove_tags()`` call without escaping it
first, for example with :func:`~django.utils.html.escape`.
For example::
remove_tags(value, "b span")