Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Fixed #19237 - The use of > in single or double quoted attributes in strip_tags #491

Closed
wants to merge 1 commit into from

1 participant

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Nov 5, 2012
  1. @khoomeister

    Fixed #19237 - The use of > in single or double quoted attributes in …

    khoomeister authored
    …strip_tags
    
    Updated strip_tags & added tests
This page is out of date. Refresh to see the latest.
Showing with 5 additions and 2 deletions.
  1. +2 −2 django/utils/html.py
  2. +3 −0  tests/regressiontests/utils/html.py
View
4 django/utils/html.py
@@ -33,7 +33,7 @@
html_gunk_re = re.compile(r'(?:<br clear="all">|<i><\/i>|<b><\/b>|<em><\/em>|<strong><\/strong>|<\/?smallcaps>|<\/?uppercase>)', re.IGNORECASE)
hard_coded_bullets_re = re.compile(r'((?:<p>(?:%s).*?[a-zA-Z].*?</p>\s*)+)' % '|'.join([re.escape(x) for x in DOTS]), re.DOTALL)
trailing_empty_content_re = re.compile(r'(?:<p>(?:&nbsp;|\s|<br \/>)*?</p>\s*)+\Z')
-
+strip_tags_re = re.compile(r'</?\S([^=]*=(\s*"[^"]*"|\s*\'[^\']*\'|\S*)|[^>])*?>', re.IGNORECASE)
def escape(text):
"""
@@ -117,7 +117,7 @@ def linebreaks(value, autoescape=False):
def strip_tags(value):
"""Returns the given HTML with all tags stripped."""
- return re.sub(r'<[^>]*?>', '', force_text(value))
+ return strip_tags_re.sub('', force_text(value))
strip_tags = allow_lazy(strip_tags)
def remove_tags(html, tags):
View
3  tests/regressiontests/utils/html.py
@@ -65,6 +65,9 @@ def test_strip_tags(self):
('<f', '<f'),
('</fe', '</fe'),
('<x>b<y>', 'b'),
+ ('a<p onclick="alert(\'<test>\')">b</p>c', 'abc'),
+ ('a<p a >b</p>c', 'abc'),
+ ('d<a:b c:d>e</p>f', 'def'),
)
for value, output in items:
self.check_output(f, value, output)
Something went wrong with that request. Please try again.