@@ -428,14 +428,17 @@ def trim_punctuation(self, word):

potential_entity = middle[amp:]

escaped = html.unescape(potential_entity)

if escaped == potential_entity or escaped.endswith(";"):

rstripped = middle.rstrip(";")

amount_stripped = len(middle) - len(rstripped)

if amp > -1 and amount_stripped > 1:

# Leave a trailing semicolon as might be an entity.

trail = middle[len(rstripped) + 1 :] + trail

middle = rstripped + ";"

rstripped = middle.rstrip(self.trailing_punctuation_chars)

trail_start = len(rstripped)

amount_trailing_semicolons = len(middle) - len(middle.rstrip(";"))

if amp > -1 and amount_trailing_semicolons > 1:

# Leave up to most recent semicolon as might be an entity.

recent_semicolon = middle[trail_start:].index(";")

middle_semicolon_index = recent_semicolon + trail_start + 1

trail = middle[middle_semicolon_index:] + trail

middle = rstripped + middle[trail_start:middle_semicolon_index]

else:

trail = middle[len(rstripped) :] + trail

trail = middle[trail_start:] + trail

middle = rstripped

trimmed_something = True

@@ -2932,6 +2932,17 @@ Django's built-in :tfilter:`escape` filter. The default value for

email addresses that contain single quotes (``'``), things won't work as

expected. Apply this filter only to plain text.

.. warning::

Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which

can become severe when applied to user controlled values such as content

stored in a :class:`~django.db.models.TextField`. You can use

:tfilter:`truncatechars` to add a limit to such inputs:

.. code-block:: html+django

{{ value|truncatechars:500|urlize }}

.. templatefilter:: urlizetrunc

``urlizetrunc``

@@ -7,4 +7,9 @@ Django 4.2.16 release notes

Django 4.2.16 fixes one security issue with severity "moderate" and one

security issue with severity "low" in 4.2.15.

...

CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``

===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential

denial-of-service attack via very large inputs with a specific sequence of

characters.

@@ -7,4 +7,9 @@ Django 5.0.9 release notes

Django 5.0.9 fixes one security issue with severity "moderate" and one security

issue with severity "low" in 5.0.8.

...

CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``

===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential

denial-of-service attack via very large inputs with a specific sequence of

characters.

@@ -7,6 +7,13 @@ Django 5.1.1 release notes

Django 5.1.1 fixes one security issue with severity "moderate", one security

issue with severity "low", and several bugs in 5.1.

CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``

===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential

denial-of-service attack via very large inputs with a specific sequence of

characters.

Bugfixes

========

@@ -321,6 +321,11 @@ def test_trailing_semicolon(self):

'<a href="http://example.com?x=" rel="nofollow">'

"http://example.com?x=&amp;</a>;;",

)

self.assertEqual(

urlize("http://example.com?x=&amp.;...;", autoescape=False),

'<a href="http://example.com?x=" rel="nofollow">'

"http://example.com?x=&amp</a>.;...;",

)

def test_brackets(self):

"""

@@ -375,6 +375,7 @@ def test_urlize_unchanged_inputs(self):

"&:" + ";" * 100_000,

"&.;" * 100_000,

".;" * 100_000,

"&" + ";:" * 100_000,

)

for value in tests:

with self.subTest(value=value):