Fixed #23269 -- Deprecated django.utils.remove_tags() and removetags filter.

Also the unused, undocumented django.utils.html.strip_entities() function.
2025-10-24 06:06:09 +00:00 · 2014-08-11 07:24:51 -04:00
parent deed00c0d8
commit e122facbd8
8 changed files with 62 additions and 10 deletions
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -1918,6 +1918,13 @@ If ``value`` is the list ``['a', 'b', 'c', 'd']``, the output could be ``"b"``.
 removetags
 ^^^^^^^^^^

+.. deprecated:: 1.8
+
+    ``removetags`` cannot guarantee HTML safe output and has been deprecated due
+    to security concerns. Consider using `bleach`_ instead.
+
+.. _bleach: http://bleach.readthedocs.org/en/latest/
+
 Removes a space-separated list of [X]HTML tags from the output.

 For example::
--- a/docs/ref/utils.txt
+++ b/docs/ref/utils.txt
@@ -630,10 +630,13 @@ escaping HTML.
    If you are looking for a more robust solution, take a look at the `bleach`_
    Python library.

-    .. _bleach: https://pypi.python.org/pypi/bleach
-
 .. function:: remove_tags(value, tags)

+    .. deprecated:: 1.8
+
+        ``remove_tags()`` cannot guarantee HTML safe output and has been
+        deprecated due to security concerns. Consider using `bleach`_ instead.
+
    Removes a space-separated list of [X]HTML tag names from the output.

    Absolutely NO guarantee is provided about the resulting string being HTML
@@ -656,6 +659,7 @@ escaping HTML.
    the return value will be ``"<B>Joel</B> <button>is</button> a slug"``.

 .. _str.format: http://docs.python.org/library/stdtypes.html#str.format
+.. _bleach: https://pypi.python.org/pypi/bleach

 ``django.utils.http``
 =====================