Security advisory: remove_tags safety

Posted by Tim Graham on Aug. 11, 2014

We've received a report that the django.utils.html.remove_tags() function and the related removetags template filter do not correctly strip obfuscated tags. In particular, they don't work recursively, so the output of remove_tags("<sc<script>ript>alert('XSS')</sc</script>ript>", "script") won't remove the "nested" script tags.

If you are using the remove_tags() function or the removetags template filter on user provided input in your projects, please review your code and ensure that you never mark their output as safe, without escaping it first. If you are using the output of remove_tags() in a template or if you are using the removetags template filter, escaping is the default and safe behavior unless you have disabled automatic escaping in your templates.

We plan to deprecate these functions in a future version of Django rather than keep around functions whose names are likely to lead to their use in security-sensitive contexts where they are not actually safe.

This issue was reported to security@djangoproject.com by Yoann Ono Dit Biot. We thank him for taking the cautious approach of privately reporting this issue, rather than logging a public ticket in Django's Trac instance. Please see our security policies for further information on reporting security issues.

Back to Top