Ticket #19237: 19237-parser-5.diff

django/utils/html.py

@@ -16 +16 @@
 from django.utils import six
 from django.utils.text import normalize_newlines
 
-from .html_parser import HTMLParser
+from .html_parser import HTMLParser, HTMLParseError
 
 
 # Configuration for urlize() function.
@@ -136 +136 @@
 def strip_tags(value):
     """Returns the given HTML with all tags stripped."""
     s = MLStripper()
-    s.feed(value)
-    data = s.get_data()
     try:
-        res = s.close()
-    except Exception as e:
-        data += s.rawdata
-    return data
+        s.feed(value)
+        s.close()
+    except HTMLParseError:
+        data = value
+    else:
+        data = s.get_data()
+    return data.replace('<', '&lt;').replace('>', '&gt;')
 strip_tags = allow_lazy(strip_tags)
 
 def remove_tags(html, tags):

docs/ref/utils.txt

@@ -566 +566 @@
     If ``value`` is ``"<b>Joel</b> <button>is</button> a <span>slug</span>"`` the
     return value will be ``"Joel is a slug"``.
 
+    .. versionchanged:: 1.6
+
+        For improved safety, ``strip_tags`` is now parser-based. Any ``<`` or
+        ``>`` characters that are not part of a valid tag are replaced by their
+        encoded equivalents (``&lt;`` and ``&gt;``).
+
+
 .. function:: remove_tags(value, tags)
 
     Removes a space-separated list of [X]HTML tag names from the output.

tests/utils_tests/test_html.py

@@ -69 +69 @@
             ('<adf>a', 'a'),
             ('</adf>a', 'a'),
             ('<asdf><asdf>e', 'e'),
-            ('hi, <f x', 'hi, <f x'),
-            ('</fe', '</fe'),
+            ('hi, <f x', 'hi, &lt;f x'),
+            ('234<235, right?', '234&lt;235, right?'),
+            ('a4<a5 right?', 'a4&lt;a5 right?'),
+            ('b7>b2!', 'b7&gt;b2!'),
+            ('</fe', '&lt;/fe'),
             ('<x>b<y>', 'b'),
             ('a<p onclick="alert(\'<test>\')">b</p>c', 'abc'),
             ('a<p a >b</p>c', 'abc'),