# Note: in typical case this loop executes _strip_once once. """Returns the given HTML with all tags stripped.""" Their new version basically runs it in a loop until running it again doesn't change the string: # _strip_once runs HTMLParser once, pulling out just the text of all the nodes. Their old strip_tags was essentially the same as the top answer to this question. This problem was disclosed to the Django project in March, 2014. It only takes out the, leaving you with It looks broken, so HTMLParser doesn't get rid of it. The first time HTMLParser sees it, it can't tell that the is a tag. Look at this string ( source and discussion): src=x onerror=alert(1) //> It's easy to circumvent the top answer to this question. So NEVER mark safe the result of a strip_tags call without escaping it first, for example with escape().įollow their advice! To strip tags with HTMLParser, you have to run it multiple times. Stripping out normal HTML tags is not enough.ĭjango's strip_tags, an improved (see next heading) version of the top answer to this question, gives the following warning:Ībsolutely NO guarantee is provided about the resulting string being HTML safe. Most of the techniques on this page will leave things like unclosed comments ( ' will be let through by every tag stripper on this page (except because they're not complete tags on their own. But it's another to take arbitrary input and make it completely harmless. It's one thing to keep people from italicizing things, without leaving is floating around. Why can't I just strip the tags and leave it? Their version handles HTML entities too, while this quick one doesn't. # Remove well-formed tags, fixing mistakes by legitimate users
0 kommentar(er)
