Fixed #19237 (again) - Made strip_tags consistent between Python vers…

…ions
django · May 23, 2013 · b664cb8 · b664cb8
1 parent 8c2fd05
commit b664cb8
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 9 deletions.
diff --git a/django/utils/html.py b/django/utils/html.py
@@ -16,7 +16,7 @@
 from django.utils import six
 from django.utils.text import normalize_newlines
 
-from .html_parser import HTMLParser
+from .html_parser import HTMLParser, HTMLParseError
 
 
 # Configuration for urlize() function.
@@ -136,13 +136,13 @@ def get_data(self):
 def strip_tags(value):
     """Returns the given HTML with all tags stripped."""
     s = MLStripper()
-    s.feed(value)
-    data = s.get_data()
     try:
-        res = s.close()
-    except Exception as e:
-        data += s.rawdata
-    return data
+        s.feed(value)
+        s.close()
+    except HTMLParseError:
+        return value
+    else:
+        return s.get_data()
 strip_tags = allow_lazy(strip_tags)
 
 def remove_tags(html, tags):

diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt
@@ -490,7 +490,7 @@ Atom1Feed
 
 Usually you should build up HTML using Django's templates to make use of its
 autoescape mechanism, using the utilities in :mod:`django.utils.safestring`
-where appropriate. This module provides some additional low level utilitiesfor
+where appropriate. This module provides some additional low level utilities for
 escaping HTML.
 
 .. function:: escape(text)
@@ -564,7 +564,13 @@ escaping HTML.
         strip_tags(value)
 
     If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"`` the
-    return value will be ``"Joel is a slug"``.
+    return value will be ``"Joel is a slug"``. Note that ``strip_tags`` result
+    may still contain unsafe HTML content, so you might use
+    :func:`~django.utils.html.escape` to make it a safe string.
+
+    .. versionchanged:: 1.6
+
+        For improved safety, ``strip_tags`` is now parser-based.
 
 .. function:: remove_tags(value, tags)
 

diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
@@ -70,6 +70,9 @@ def test_strip_tags(self):
             ('</adf>a', 'a'),
             ('<asdf><asdf>e', 'e'),
             ('hi, <f x', 'hi, <f x'),
+            ('234<235, right?', '234<235, right?'),
+            ('a4<a5 right?', 'a4<a5 right?'),
+            ('b7>b2!', 'b7>b2!'),
             ('</fe', '</fe'),
             ('<x>b<y>', 'b'),
             ('a<p onclick="alert(\'<test>\')">b</p>c', 'abc'),