mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-24 06:06:09 +00:00
Code Issues 32 Releases Wiki Activity

Refs #23269 -- Removed the removetags template tag and related functions per deprecation timeline.

Browse Source
This commit is contained in:
Tim Graham
2015-08-18 10:09:17 -04:00
parent 785cc71d5b
commit 222d063301
7 changed files with 7 additions and 189 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
docs/ref/templates/builtins.txt
View File

@@ -1866,44 +1866,6 @@ For example::
If ``value`` is the list ``['a', 'b', 'c', 'd']``, the output could be ``"b"``.
.. templatefilter:: removetags
removetags
^^^^^^^^^^
.. deprecated:: 1.8
``removetags`` cannot guarantee HTML safe output and has been deprecated due
to security concerns. Consider using `bleach`_ instead.
.. _bleach: http://bleach.readthedocs.org/en/latest/
Removes a space-separated list of [X]HTML tags from the output.
For example::
{{ value|removetags:"b span" }}
If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"`` the
unescaped output will be ``"Joel <button>is</button> a slug"``.
Note that this filter is case-sensitive.
If ``value`` is ``"<B>Joel</B> <button>is</button> a <span>slug</span>"`` the
unescaped output will be ``"<B>Joel</B> <button>is</button> a slug"``.
.. admonition:: No safety guarantee
Note that ``removetags`` doesn't give any guarantee about its output being
HTML safe. In particular, it doesn't work recursively, so an input like
``"<sc<script>ript>alert('XSS')</sc</script>ript>"`` won't be safe even if
you apply ``|removetags:"script"``. So if the input is user provided,
**NEVER** apply the ``safe`` filter to a ``removetags`` output. If you are
looking for something more robust, you can use the ``bleach`` Python
library, notably its `clean`_ method.
.. _clean: http://bleach.readthedocs.org/en/latest/clean.html
.. templatefilter:: rjust
rjust

37
docs/ref/utils.txt
View File

@@ -621,6 +621,8 @@ escaping HTML.
through :func:`conditional_escape` which (ultimately) calls
:func:`~django.utils.encoding.force_text` on the values.
.. _str.format: https://docs.python.org/library/stdtypes.html#str.format
.. function:: format_html_join(sep, format_string, args_generator)
A wrapper of :func:`format_html`, for the common case of a group of
@@ -650,39 +652,8 @@ escaping HTML.
If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"``
the return value will be ``"Joel is a slug"``.
If you are looking for a more robust solution, take a look at the `bleach`_
Python library.
.. function:: remove_tags(value, tags)
.. deprecated:: 1.8
``remove_tags()`` cannot guarantee HTML safe output and has been
deprecated due to security concerns. Consider using `bleach`_ instead.
Removes a space-separated list of [X]HTML tag names from the output.
Absolutely NO guarantee is provided about the resulting string being HTML
safe. In particular, it doesn't work recursively, so the output of
``remove_tags("<sc<script>ript>alert('XSS')</sc</script>ript>", "script")``
won't remove the "nested" script tags. So if the ``value`` is untrusted,
NEVER mark safe the result of a ``remove_tags()`` call without escaping it
first, for example with :func:`~django.utils.html.escape`.
For example::
remove_tags(value, "b span")
If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"``
the return value will be ``"Joel <button>is</button> a slug"``.
Note that this filter is case-sensitive.
If ``value`` is ``"<B>Joel</B> <button>is</button> a <span>slug</span>"``
the return value will be ``"<B>Joel</B> <button>is</button> a slug"``.
.. _str.format: https://docs.python.org/library/stdtypes.html#str.format
.. _bleach: https://pypi.python.org/pypi/bleach
If you are looking for a more robust solution, take a look at the `bleach
<https://pypi.python.org/pypi/bleach>`_ Python library.
.. function:: html_safe()