Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

[1.5.x] Fixed #19237 -- Improved strip_tags utility

The previous pattern didn't properly addressed cases where '>'
was present inside quoted tag content.
Backport of bf1871d from master.
  • Loading branch information...
commit 9efe1a7210ee161d5688f66a759bcd8d89d33142 1 parent a708b8f
Chris Khoo authored November 24, 2012 claudep committed November 24, 2012
3  django/utils/html.py
@@ -33,6 +33,7 @@
33 33
 html_gunk_re = re.compile(r'(?:<br clear="all">|<i><\/i>|<b><\/b>|<em><\/em>|<strong><\/strong>|<\/?smallcaps>|<\/?uppercase>)', re.IGNORECASE)
34 34
 hard_coded_bullets_re = re.compile(r'((?:<p>(?:%s).*?[a-zA-Z].*?</p>\s*)+)' % '|'.join([re.escape(x) for x in DOTS]), re.DOTALL)
35 35
 trailing_empty_content_re = re.compile(r'(?:<p>(?:&nbsp;|\s|<br \/>)*?</p>\s*)+\Z')
  36
+strip_tags_re = re.compile(r'</?\S([^=]*=(\s*"[^"]*"|\s*\'[^\']*\'|\S*)|[^>])*?>', re.IGNORECASE)
36 37
 
37 38
 
38 39
 def escape(text):
@@ -117,7 +118,7 @@ def linebreaks(value, autoescape=False):
117 118
 
118 119
 def strip_tags(value):
119 120
     """Returns the given HTML with all tags stripped."""
120  
-    return re.sub(r'<[^>]*?>', '', force_text(value))
  121
+    return strip_tags_re.sub('', force_text(value))
121 122
 strip_tags = allow_lazy(strip_tags)
122 123
 
123 124
 def remove_tags(html, tags):
3  tests/regressiontests/utils/html.py
@@ -65,6 +65,9 @@ def test_strip_tags(self):
65 65
             ('<f', '<f'),
66 66
             ('</fe', '</fe'),
67 67
             ('<x>b<y>', 'b'),
  68
+            ('a<p onclick="alert(\'<test>\')">b</p>c', 'abc'),
  69
+            ('a<p a >b</p>c', 'abc'),
  70
+            ('d<a:b c:d>e</p>f', 'def'),
68 71
         )
69 72
         for value, output in items:
70 73
             self.check_output(f, value, output)

0 notes on commit 9efe1a7

Please sign in to comment.
Something went wrong with that request. Please try again.