7 7
from html.parser import HTMLParser
8 8
from urllib.parse import parse_qsl, quote, unquote, urlencode, urlsplit, urlunsplit
9 9 10 +
from django.core.exceptions import SuspiciousOperation
10 11
from django.utils.deprecation import RemovedInDjango60Warning
11 12
from django.utils.encoding import punycode
12 13
from django.utils.functional import Promise, cached_property, keep_lazy, keep_lazy_text
39 40
)
40 41 41 42
MAX_URL_LENGTH = 2048
43 +
MAX_STRIP_TAGS_DEPTH = 50
42 44 43 45 44 46
@keep_lazy(SafeString)
@@ -205,15 +207,19 @@ def _strip_once(value):
205 207
@keep_lazy_text
206 208
def strip_tags(value):
207 209
"""Return the given HTML with all tags stripped."""
208 -
# Note: in typical case this loop executes _strip_once once. Loop condition
209 -
# is redundant, but helps to reduce number of executions of _strip_once.
210 210
value = str(value)
211 +
# Note: in typical case this loop executes _strip_once twice (the second
212 +
# execution does not remove any more tags).
213 +
strip_tags_depth = 0
211 214
while "<" in value and ">" in value:
215 +
if strip_tags_depth >= MAX_STRIP_TAGS_DEPTH:
216 +
raise SuspiciousOperation
212 217
new_value = _strip_once(value)
213 218
if value.count("<") == new_value.count("<"):
214 219
# _strip_once wasn't able to detect more tags.
215 220
break
216 221
value = new_value
222 +
strip_tags_depth += 1
217 223
return value
218 224 219 225 RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4