Sarah Boyce
|
49ff1042aa
|
Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags().
Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart
for the reviews.
|
2024-12-04 13:43:13 +01:00 |
|
Sarah Boyce
|
320dd27412
|
Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
|
2024-09-03 09:22:32 -03:00 |
|
Adam Johnson
|
2b71b2c8dc
|
Refs #34609 -- Fixed deprecation warning stack level in format_html().
Co-authored-by: Simon Charette <charette.s@gmail.com>
|
2024-08-27 15:14:50 -03:00 |
|
nabil-rady
|
231c0d8593
|
Fixed #35668 -- Added mapping support to format_html_join.
|
2024-08-20 08:20:34 +02:00 |
|
Mariusz Felisiak
|
5f1757142f
|
Fixed CVE-2024-41991 -- Prevented potential ReDoS in django.utils.html.urlize() and AdminURLFieldWidget.
Thanks Seokchan Yoon for the report.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
|
2024-08-06 08:50:08 +02:00 |
|
Sarah Boyce
|
ecf1f8fb90
|
Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
Thanks to MProgrammer for the report.
|
2024-08-06 08:50:08 +02:00 |
|
Adam Johnson
|
d666457453
|
Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
Thank you to Elias Myllymäki for the report.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
|
2024-07-09 09:21:19 -03:00 |
|
devilsautumn
|
094b0bea2c
|
Fixed #34609 -- Deprecated calling format_html() without arguments.
|
2023-06-06 14:14:57 +02:00 |
|
Hrushikesh Vaidya
|
72e41a0df6
|
Fixed #33779 -- Allowed customizing encoder class in django.utils.html.json_script().
|
2022-06-28 10:54:38 +02:00 |
|
Adam Johnson
|
a45f28f0ec
|
Rewrote strip_tags test file to lorem ipsum.
|
2022-03-08 14:50:06 +01:00 |
|
Mariusz Felisiak
|
7119f40c98
|
Refs #33476 -- Refactored code to strictly match 88 characters line length.
|
2022-02-07 20:37:05 +01:00 |
|
django-bot
|
9c19aff7c7
|
Refs #33476 -- Reformatted code with Black.
|
2022-02-07 20:37:05 +01:00 |
|
Baptiste Mispelon
|
e6e664a711
|
Fixed #33302 -- Made element_id optional argument for json_script template filter.
Added versionchanged note in documentation
|
2021-11-22 11:52:19 +01:00 |
|
Shipeng Feng
|
68cc04887b
|
Fixed #32866 -- Fixed trimming trailing punctuation from escaped string in urlize().
|
2021-07-07 11:19:33 +02:00 |
|
Florian Apolloner
|
4b78420d25
|
Fixed CVE-2019-14233 -- Prevented excessive HTMLParser recursion in strip_tags() when handling incomplete HTML entities.
Thanks to Guido Vranken for initial report.
|
2019-08-01 09:24:54 +02:00 |
|
Jon Dufresne
|
8d76443aba
|
Fixed #30399 -- Changed django.utils.html.escape()/urlize() to use html.escape()/unescape().
|
2019-04-25 15:09:07 +02:00 |
|
Jon Dufresne
|
7e3bf2662b
|
Removed default mode='r' argument from calls to open().
|
2019-01-27 17:41:43 -05:00 |
|
Srinivas Thatiparthy (శ్రీనివాస్ తాటిపర్తి)
|
a7ef4a56e0
|
Fixed #29920 -- Added a test for smart_urlquote()'s UnicodeError branch.
|
2018-11-09 12:39:08 -05:00 |
|
Jon Dufresne
|
82f286cf6f
|
Refs #29784 -- Switched to https:// links where available.
|
2018-09-26 08:48:47 +02:00 |
|
Tim Graham
|
911af0d24b
|
Added more tests for django.utils.html.urlize().
|
2018-03-06 08:30:41 -05:00 |
|
Tim Graham
|
8618271caa
|
Fixed CVE-2018-7536 -- Fixed catastrophic backtracking in urlize and urlizetrunc template filters.
Thanks Florian Apolloner for assisting with the patch.
|
2018-03-06 08:30:40 -05:00 |
|
Tim Graham
|
b832de869e
|
Added tests for utils.html.urlize() (lazy string inputs were untested).
|
2018-02-10 15:45:57 -05:00 |
|
Jonas Haag
|
8c709d79cb
|
Fixed #17419 -- Added json_tag template filter.
|
2018-02-07 18:38:12 -05:00 |
|
Jon Dufresne
|
ff05de760c
|
Fixed #29038 -- Removed closing slash from HTML void tags.
|
2018-01-21 02:09:10 -05:00 |
|
Tim Graham
|
6ae1b04fb5
|
Fixed #27900 -- Made escapejs escape backticks for use in ES6 template literals.
|
2017-03-04 09:04:16 -05:00 |
|
Claude Paroz
|
a21ec12409
|
Fixed #27803 -- Kept safe status of lazy safe strings in conditional_escape
|
2017-02-02 21:01:39 +01:00 |
|
Tim Graham
|
f8d52521ab
|
Refs #27804 -- Used subTest() in tests.utils_tests.test_html.
|
2017-02-02 08:17:00 -05:00 |
|
Tim Graham
|
2af8cd22a9
|
Imported specific functions in tests.utils_tests.test_html.
|
2017-02-02 07:23:10 -05:00 |
|
Claude Paroz
|
2366100872
|
Removed unneeded force_text calls in the test suite
|
2017-01-24 18:45:54 +01:00 |
|
Tim Graham
|
4e729feaa6
|
Refs #23919 -- Removed django.utils._os.upath()/npath()/abspathu() usage.
These functions do nothing on Python 3.
|
2017-01-20 08:01:02 -05:00 |
|
Simon Charette
|
cecc079168
|
Refs #23919 -- Stopped inheriting from object to define new style classes.
|
2017-01-19 08:39:46 +01:00 |
|
Claude Paroz
|
c716fe8782
|
Refs #23919 -- Removed six.PY2/PY3 usage
Thanks Tim Graham for the review.
|
2017-01-18 16:21:28 +01:00 |
|
Claude Paroz
|
d7b9aaa366
|
Refs #23919 -- Removed encoding preambles and future imports
|
2017-01-18 09:55:19 +01:00 |
|
za
|
321e94fa41
|
Refs #27392 -- Removed "Tests that", "Ensures that", etc. from test docstrings.
|
2016-11-10 21:30:21 -05:00 |
|
Iacopo Spalletti
|
d693074d43
|
Fixed #20223 -- Added keep_lazy() as a replacement for allow_lazy().
Thanks to bmispelon and uruz for the initial patch.
|
2015-12-12 14:46:48 -05:00 |
|
Tim Graham
|
222d063301
|
Refs #23269 -- Removed the removetags template tag and related functions per deprecation timeline.
|
2015-09-23 19:31:09 -04:00 |
|
Dražen Odobašić
|
b1e33ceced
|
Fixed #23395 -- Limited line lengths to 119 characters.
|
2015-09-12 11:40:50 -04:00 |
|
Tim Graham
|
aaacaeb096
|
Renamed RemovedInDjangoXYWarnings for new roadmap.
Forwardport of ae1d663b79
from stable/1.8.x plus more.
|
2015-06-24 16:08:20 -04:00 |
|
Moritz Sichert
|
1f2abf784a
|
Fixed #24469 -- Refined escaping of Django's form elements in non-Django templates.
|
2015-03-27 19:46:20 -04:00 |
|
Tim Graham
|
1c83fc88d6
|
Fixed an infinite loop possibility in strip_tags().
This is a security fix; disclosure to follow shortly.
|
2015-03-18 19:20:07 -04:00 |
|
Tim Graham
|
0ed7d15563
|
Sorted imports with isort; refs #23860.
|
2015-02-06 08:16:28 -05:00 |
|
Claude Paroz
|
51890ce889
|
Applied ignore_warnings to Django tests
|
2014-12-30 18:16:25 +01:00 |
|
Berker Peksag
|
560b4207b1
|
Removed redundant numbered parameters from str.format().
Since Python 2.7 and 3.1, "{0} {1}" is equivalent to "{} {}".
|
2014-12-03 14:27:38 -05:00 |
|
Claude Paroz
|
b9d9287f59
|
Fixed urlize after smart_urlquote rewrite
Refs #22267.
|
2014-09-09 21:59:35 +02:00 |
|
Claude Paroz
|
4b8a1d2c0d
|
Fixed #22267 -- Fixed unquote/quote in smart_urlquote
Thanks Md. Enzam Hossain for the report and initial patch, and
Tim Graham for the review.
|
2014-09-09 21:58:07 +02:00 |
|
Tim Graham
|
e122facbd8
|
Fixed #23269 -- Deprecated django.utils.remove_tags() and removetags filter.
Also the unused, undocumented django.utils.html.strip_entities() function.
|
2014-08-15 08:20:02 -04:00 |
|
Claude Paroz
|
6a0291bdaf
|
Tweaked strip_tags tests to pass on Python 3.3
|
2014-03-22 14:43:11 +01:00 |
|
Claude Paroz
|
6ca6c36f82
|
Improved strip_tags and clarified documentation
The fact that strip_tags cannot guarantee to really strip all
non-safe HTML content was not clear enough. Also see:
https://www.djangoproject.com/weblog/2014/mar/22/strip-tags-advisory/
|
2014-03-22 10:59:18 +01:00 |
|
Tim Graham
|
8b81dee60c
|
Removed fix_ampersands template filter per deprecation timeline.
Also removed related utility functions:
* django.utils.html.fix_ampersands
* django.utils.html.clean_html
|
2014-03-21 08:50:43 -04:00 |
|
Claude Paroz
|
210d0489c5
|
Fixed #21188 -- Introduced subclasses for to-be-removed-in-django-XX warnings
Thanks Anssi Kääriäinen for the idea and Simon Charette for the
review.
|
2014-03-08 09:57:40 +01:00 |
|