mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-27 07:36:08 +00:00
Code Issues 32 Releases Wiki Activity

Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().

Browse Source 
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake
Howard for the reviews.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
This commit is contained in:
Sarah Boyce
2025-04-08 16:30:17 +02:00
committed by Natalia
parent f7d97dd118
commit 9f3419b519
5 changed files with 53 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
django/utils/html.py
View File

@@ -43,6 +43,9 @@ VOID_ELEMENTS = frozenset(
MAX_STRIP_TAGS_DEPTH = 50
# HTML tag that opens but has no closing ">" after 1k+ chars.
long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}")
@keep_lazy(SafeString)
def escape(text):
@@ -208,6 +211,9 @@ def _strip_once(value):
def strip_tags(value):
"""Return the given HTML with all tags stripped."""
value = str(value)
for long_open_tag in long_open_tag_without_closing_re.finditer(value):
if long_open_tag.group().count("<") >= MAX_STRIP_TAGS_DEPTH:
raise SuspiciousOperation
# Note: in typical case this loop executes _strip_once twice (the second
# execution does not remove any more tags).
strip_tags_depth = 0