Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed #19237 (again) - Made strip_tags consistent between Python vers…

…ions
  • Loading branch information...
commit b664cb818d2e5896df2763299ea2c61a9af069a8 1 parent 8c2fd05
Claude Paroz claudep authored
14 django/utils/html.py
View
@@ -16,7 +16,7 @@
from django.utils import six
from django.utils.text import normalize_newlines
-from .html_parser import HTMLParser
+from .html_parser import HTMLParser, HTMLParseError
# Configuration for urlize() function.
@@ -136,13 +136,13 @@ def get_data(self):
def strip_tags(value):
"""Returns the given HTML with all tags stripped."""
s = MLStripper()
- s.feed(value)
- data = s.get_data()
try:
- res = s.close()
- except Exception as e:
- data += s.rawdata
- return data
+ s.feed(value)
+ s.close()
+ except HTMLParseError:
+ return value
+ else:
+ return s.get_data()
strip_tags = allow_lazy(strip_tags)
def remove_tags(html, tags):
10 docs/ref/utils.txt
View
@@ -490,7 +490,7 @@ Atom1Feed
Usually you should build up HTML using Django's templates to make use of its
autoescape mechanism, using the utilities in :mod:`django.utils.safestring`
-where appropriate. This module provides some additional low level utilitiesfor
+where appropriate. This module provides some additional low level utilities for
escaping HTML.
.. function:: escape(text)
@@ -564,7 +564,13 @@ escaping HTML.
strip_tags(value)
If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"`` the
- return value will be ``"Joel is a slug"``.
+ return value will be ``"Joel is a slug"``. Note that ``strip_tags`` result
+ may still contain unsafe HTML content, so you might use
+ :func:`~django.utils.html.escape` to make it a safe string.
+
+ .. versionchanged:: 1.6
+
+ For improved safety, ``strip_tags`` is now parser-based.
.. function:: remove_tags(value, tags)
3  tests/utils_tests/test_html.py
View
@@ -70,6 +70,9 @@ def test_strip_tags(self):
('</adf>a', 'a'),
('<asdf><asdf>e', 'e'),
('hi, <f x', 'hi, <f x'),
+ ('234<235, right?', '234<235, right?'),
+ ('a4<a5 right?', 'a4<a5 right?'),
+ ('b7>b2!', 'b7>b2!'),
('</fe', '</fe'),
('<x>b<y>', 'b'),
('a<p onclick="alert(\'<test>\')">b</p>c', 'abc'),
Please sign in to comment.
Something went wrong with that request. Please try again.