#14843 closed Uncategorized (wontfix)
Filter like "striptags" that also removes tag contents
Reported by: | geoffhill | Owned by: | nobody |
---|---|---|---|
Component: | Template system | Version: | 1.2 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
There should be a template tag like "striptags" that also removes everything inside matched tag pairs. Most of the times I've presented template developers with the removetags/striptags filter, they expect this to be the default behavior. Making a separate template tag with this behavior would be better for backwards compatibility.
{{ value|cleartags:"script noscript"|safe }}
If value
is <p>Here's a <strong>good</strong>, friendly<script type="text/javascript">...</script> paragraph.</p>
, then the output would be <p>Here's a <strong>good</strong>, friendly paragraph.</p>
.
Change History (2)
comment:1 by , 14 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
comment:2 by , 13 years ago
Easy pickings: | unset |
---|---|
Severity: | → Normal |
Type: | → Uncategorized |
UI/UX: | unset |
I'm not exactly sure what you mean by "sanitize HTML" and "evil attributes", but I was surprised by the behaviour of striptags
, which I thought should remove redundant markup and leave the relevant content. Some tags, like <style></style>
and <script></script>
make striptags
practically useless, unless you are sure your content already doesn't have these tags. Who wants to see raw CSS definitions and JS code mixed in with the non-HTML content that remains? Either striptags
should clear the contents of some special cased tags, or another filter like cleartags
could help here.
Your use case sounds like you want a 'sanitise html' filter, and what you have proposed doesn't do the job, because it doesn't deal with evil attributes. See http://ha.ckers.org/xss.html
If you are dealing with non-evil HTML, however, then the behaviour of striptags is much better - you don't want:
to be turned into:
So I'm closing as WONTFIX, precisely because people are most likely to use it as an HTML sanitizer, for which it is ill-suited, and for other purposes striptags seems much more appropriate. Please re-open if there is another use case.