Loading docs/ref/templates/builtins.txt +19 −7 Original line number Diff line number Diff line Loading @@ -1922,15 +1922,27 @@ Removes a space-separated list of [X]HTML tags from the output. For example:: {{ value|removetags:"b span"|safe }} {{ value|removetags:"b span" }} If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"`` the output will be ``"Joel <button>is</button> a slug"``. unescaped output will be ``"Joel <button>is</button> a slug"``. Note that this filter is case-sensitive. If ``value`` is ``"<B>Joel</B> <button>is</button> a <span>slug</span>"`` the output will be ``"<B>Joel</B> <button>is</button> a slug"``. unescaped output will be ``"<B>Joel</B> <button>is</button> a slug"``. .. admonition:: No safety guarantee Note that ``removetags`` doesn't give any guarantee about its output being HTML safe. In particular, it doesn't work recursively, so an input like ``"<sc<script>ript>alert('XSS')</sc</script>ript>"`` won't be safe even if you apply ``|removetags:"script"``. So if the input is user provided, **NEVER** apply the ``safe`` filter to a ``removetags`` output. If you are looking for something more robust, you can use the ``bleach`` Python library, notably its `clean`_ method. .. _clean: http://bleach.readthedocs.org/en/latest/clean.html .. templatefilter:: rjust Loading Loading @@ -2047,10 +2059,10 @@ output will be ``"Joel is a slug"``. .. admonition:: No safety guarantee Note that ``striptags`` doesn't give any guarantee about its output being entirely HTML safe, particularly with non valid HTML input. So **NEVER** apply the ``safe`` filter to a ``striptags`` output. If you are looking for something more robust, you can use the ``bleach`` Python library, notably its `clean`_ method. HTML safe, particularly with non valid HTML input. So **NEVER** apply the ``safe`` filter to a ``striptags`` output. If you are looking for something more robust, you can use the ``bleach`` Python library, notably its `clean`_ method. .. _clean: http://bleach.readthedocs.org/en/latest/clean.html Loading docs/ref/utils.txt +9 −1 Original line number Diff line number Diff line Loading @@ -615,7 +615,8 @@ escaping HTML. Tries to remove anything that looks like an HTML tag from the string, that is anything contained within ``<>``. Absolutely NO guaranty is provided about the resulting string being entirely Absolutely NO guarantee is provided about the resulting string being HTML safe. So NEVER mark safe the result of a ``strip_tag`` call without escaping it first, for example with :func:`~django.utils.html.escape`. Loading @@ -635,6 +636,13 @@ escaping HTML. Removes a space-separated list of [X]HTML tag names from the output. Absolutely NO guarantee is provided about the resulting string being HTML safe. In particular, it doesn't work recursively, so the output of ``remove_tags("<sc<script>ript>alert('XSS')</sc</script>ript>", "script")`` won't remove the "nested" script tags. So if the ``value`` is untrusted, NEVER mark safe the result of a ``remove_tags()`` call without escaping it first, for example with :func:`~django.utils.html.escape`. For example:: remove_tags(value, "b span") Loading Loading
docs/ref/templates/builtins.txt +19 −7 Original line number Diff line number Diff line Loading @@ -1922,15 +1922,27 @@ Removes a space-separated list of [X]HTML tags from the output. For example:: {{ value|removetags:"b span"|safe }} {{ value|removetags:"b span" }} If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"`` the output will be ``"Joel <button>is</button> a slug"``. unescaped output will be ``"Joel <button>is</button> a slug"``. Note that this filter is case-sensitive. If ``value`` is ``"<B>Joel</B> <button>is</button> a <span>slug</span>"`` the output will be ``"<B>Joel</B> <button>is</button> a slug"``. unescaped output will be ``"<B>Joel</B> <button>is</button> a slug"``. .. admonition:: No safety guarantee Note that ``removetags`` doesn't give any guarantee about its output being HTML safe. In particular, it doesn't work recursively, so an input like ``"<sc<script>ript>alert('XSS')</sc</script>ript>"`` won't be safe even if you apply ``|removetags:"script"``. So if the input is user provided, **NEVER** apply the ``safe`` filter to a ``removetags`` output. If you are looking for something more robust, you can use the ``bleach`` Python library, notably its `clean`_ method. .. _clean: http://bleach.readthedocs.org/en/latest/clean.html .. templatefilter:: rjust Loading Loading @@ -2047,10 +2059,10 @@ output will be ``"Joel is a slug"``. .. admonition:: No safety guarantee Note that ``striptags`` doesn't give any guarantee about its output being entirely HTML safe, particularly with non valid HTML input. So **NEVER** apply the ``safe`` filter to a ``striptags`` output. If you are looking for something more robust, you can use the ``bleach`` Python library, notably its `clean`_ method. HTML safe, particularly with non valid HTML input. So **NEVER** apply the ``safe`` filter to a ``striptags`` output. If you are looking for something more robust, you can use the ``bleach`` Python library, notably its `clean`_ method. .. _clean: http://bleach.readthedocs.org/en/latest/clean.html Loading
docs/ref/utils.txt +9 −1 Original line number Diff line number Diff line Loading @@ -615,7 +615,8 @@ escaping HTML. Tries to remove anything that looks like an HTML tag from the string, that is anything contained within ``<>``. Absolutely NO guaranty is provided about the resulting string being entirely Absolutely NO guarantee is provided about the resulting string being HTML safe. So NEVER mark safe the result of a ``strip_tag`` call without escaping it first, for example with :func:`~django.utils.html.escape`. Loading @@ -635,6 +636,13 @@ escaping HTML. Removes a space-separated list of [X]HTML tag names from the output. Absolutely NO guarantee is provided about the resulting string being HTML safe. In particular, it doesn't work recursively, so the output of ``remove_tags("<sc<script>ript>alert('XSS')</sc</script>ript>", "script")`` won't remove the "nested" script tags. So if the ``value`` is untrusted, NEVER mark safe the result of a ``remove_tags()`` call without escaping it first, for example with :func:`~django.utils.html.escape`. For example:: remove_tags(value, "b span") Loading
