Opened 14 years ago

Closed 14 years ago

Last modified 13 years ago

#14843 closed Uncategorized (wontfix)

Filter like "striptags" that also removes tag contents

Reported by: geoffhill Owned by: nobody
Component: Template system Version: 1.2
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

There should be a template tag like "striptags" that also removes everything inside matched tag pairs. Most of the times I've presented template developers with the removetags/striptags filter, they expect this to be the default behavior. Making a separate template tag with this behavior would be better for backwards compatibility.

{{ value|cleartags:"script noscript"|safe }}

If value is <p>Here's a <strong>good</strong>, friendly<script type="text/javascript">...</script> paragraph.</p>, then the output would be <p>Here's a <strong>good</strong>, friendly paragraph.</p>.

Change History (2)

comment:1 by Luke Plant, 14 years ago

Resolution: wontfix
Status: newclosed

Your use case sounds like you want a 'sanitise html' filter, and what you have proposed doesn't do the job, because it doesn't deal with evil attributes. See http://ha.ckers.org/xss.html

If you are dealing with non-evil HTML, however, then the behaviour of striptags is much better - you don't want:

<p>Some <b>really important</b> message</p>

to be turned into:

<p>Some message</p>

So I'm closing as WONTFIX, precisely because people are most likely to use it as an HTML sanitizer, for which it is ill-suited, and for other purposes striptags seems much more appropriate. Please re-open if there is another use case.

comment:2 by Tai Lee, 13 years ago

Easy pickings: unset
Severity: Normal
Type: Uncategorized
UI/UX: unset

I'm not exactly sure what you mean by "sanitize HTML" and "evil attributes", but I was surprised by the behaviour of striptags, which I thought should remove redundant markup and leave the relevant content. Some tags, like <style></style> and <script></script> make striptags practically useless, unless you are sure your content already doesn't have these tags. Who wants to see raw CSS definitions and JS code mixed in with the non-HTML content that remains? Either striptags should clear the contents of some special cased tags, or another filter like cleartags could help here.

Note: See TracTickets for help on using tickets.
Back to Top