Security advisory: strip_tags safety

Posted by Erik Romijn and Claude Paroz on March 22, 2014

We've received a report that the django.utils.html.strip_tags function (and also the related striptags template filter) did not correctly strip some obfuscated tags. This particular issue has been resolved in future releases of Django 1.6 and 1.7. While investigating this issue, we found that the documentation for strip_tags does mention that the result may still contain unsafe HTML content, and its result cannot be considered safe, but that this limitation should be stressed more strongly.

If you are using the strip_tags function or the striptags template filter in your projects, please review your code and ensure that you never mark their output as safe, without escaping it first. Note that if you are using the output of strip_tags in a template, or if you are using the striptags template filter, escaping is the default and safe behaviour, unless you have disabled automatic escaping in your templates.

Update, 25 March: This issue was reported to security@djangoproject.com in two independent reports; the first by Collin Anderson, and the second by Yoann Ono. We thank both of them for taking the cautious approach of privately reporting this issue, rather than logging a public ticket in Django's Trac instance. Please see our security policies for further information.

Back to Top