Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags().

Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart for the reviews.
2025-10-31 09:41:08 +00:00 · 2024-11-13 15:06:23 +01:00
parent 58e548db8b
commit 49ff1042aa
5 changed files with 63 additions and 2 deletions
--- a/docs/releases/5.1.4.txt
+++ b/docs/releases/5.1.4.txt
@@ -7,6 +7,22 @@ Django 5.1.4 release notes
 Django 5.1.4 fixes one security issue with severity "high", one security issue
 with severity "moderate", and several bugs in 5.1.3.

+CVE-2024-53907: Denial-of-service possibility in ``strip_tags()``
+=================================================================
+
+:func:`~django.utils.html.strip_tags` would be extremely slow to evaluate
+certain inputs containing large sequences of nested incomplete HTML entities.
+The ``strip_tags()`` method is used to implement the corresponding
+:tfilter:`striptags` template filter, which was thus also vulnerable.
+
+``strip_tags()`` now has an upper limit of recursive calls to ``HTMLParser``
+before raising a :exc:`.SuspiciousOperation` exception.
+
+Remember that absolutely NO guarantee is provided about the results of
+``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
+``strip_tags()`` call without escaping it first, for example with
+:func:`django.utils.html.escape`.
+
 Bugfixes
 ========