2024-11-27 13:30:12 +00:00
|
|
|
===========================
|
|
|
|
Django 4.2.17 release notes
|
|
|
|
===========================
|
|
|
|
|
|
|
|
*December 4, 2024*
|
|
|
|
|
|
|
|
Django 4.2.17 fixes one security issue with severity "high" and one security
|
|
|
|
issue with severity "moderate" in 4.2.16.
|
2024-11-13 14:06:23 +00:00
|
|
|
|
|
|
|
CVE-2024-53907: Denial-of-service possibility in ``strip_tags()``
|
|
|
|
=================================================================
|
|
|
|
|
|
|
|
:func:`~django.utils.html.strip_tags` would be extremely slow to evaluate
|
|
|
|
certain inputs containing large sequences of nested incomplete HTML entities.
|
|
|
|
The ``strip_tags()`` method is used to implement the corresponding
|
|
|
|
:tfilter:`striptags` template filter, which was thus also vulnerable.
|
|
|
|
|
|
|
|
``strip_tags()`` now has an upper limit of recursive calls to ``HTMLParser``
|
|
|
|
before raising a :exc:`.SuspiciousOperation` exception.
|
|
|
|
|
|
|
|
Remember that absolutely NO guarantee is provided about the results of
|
|
|
|
``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
|
|
|
|
``strip_tags()`` call without escaping it first, for example with
|
|
|
|
:func:`django.utils.html.escape`.
|