+53
-1
lines changedFilter options
+53
-1
lines changed Original file line number Diff line number Diff line change
@@ -42,6 +42,9 @@
42 42 43 43
MAX_STRIP_TAGS_DEPTH = 50
44 44 45 +
# HTML tag that opens but has no closing ">" after 1k+ chars.
46 +
long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}")
47 + 45 48 46 49
@keep_lazy(SafeString)
47 50
def escape(text):
@@ -213,6 +216,9 @@ def _strip_once(value):
213 216
def strip_tags(value):
214 217
"""Return the given HTML with all tags stripped."""
215 218
value = str(value)
219 +
for long_open_tag in long_open_tag_without_closing_re.finditer(value):
220 +
if long_open_tag.group().count("<") >= MAX_STRIP_TAGS_DEPTH:
221 +
raise SuspiciousOperation
216 222
# Note: in typical case this loop executes _strip_once twice (the second
217 223
# execution does not remove any more tags).
218 224
strip_tags_depth = 0
@@ -7,6 +7,17 @@ Django 4.2.21 release notes
7 7
Django 4.2.21 fixes a security issue with severity "moderate", a data loss bug,
8 8
and a regression in 4.2.20.
9 9 10 +
CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
11 +
=================================================================
12 + 13 +
:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
14 +
containing large sequences of incomplete HTML tags. This function is used to
15 +
implement the :tfilter:`striptags` template filter, which was thus also
16 +
vulnerable.
17 + 18 +
:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
19 +
exception if it encounters an unusually large number of unclosed opening tags.
20 + 10 21
Bugfixes
11 22
========
12 23
@@ -7,6 +7,17 @@ Django 5.1.9 release notes
7 7
Django 5.1.9 fixes a security issue with severity "moderate", a data loss bug,
8 8
and a regression in 5.1.8.
9 9 10 +
CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
11 +
=================================================================
12 + 13 +
:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
14 +
containing large sequences of incomplete HTML tags. This function is used to
15 +
implement the :tfilter:`striptags` template filter, which was thus also
16 +
vulnerable.
17 + 18 +
:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
19 +
exception if it encounters an unusually large number of unclosed opening tags.
20 + 10 21
Bugfixes
11 22
========
12 23
@@ -7,6 +7,17 @@ Django 5.2.1 release notes
7 7
Django 5.2.1 fixes a security issue with severity "moderate" and several bugs
8 8
in 5.2.
9 9 10 +
CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
11 +
=================================================================
12 + 13 +
:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
14 +
containing large sequences of incomplete HTML tags. This function is used to
15 +
implement the :tfilter:`striptags` template filter, which was thus also
16 +
vulnerable.
17 + 18 +
:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
19 +
exception if it encounters an unusually large number of unclosed opening tags.
20 + 10 21
Bugfixes
11 22
========
12 23
@@ -147,17 +147,30 @@ def test_strip_tags(self):
147 147
("><!" + ("&" * 16000) + "D", "><!" + ("&" * 16000) + "D"),
148 148
("X<<<<br>br>br>br>X", "XX"),
149 149
("<" * 50 + "a>" * 50, ""),
150 +
(">" + "<a" * 500 + "a", ">" + "<a" * 500 + "a"),
151 +
("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951),
152 +
("<" + "a" * 1_002, "<" + "a" * 1_002),
150 153
)
151 154
for value, output in items:
152 155
with self.subTest(value=value, output=output):
153 156
self.check_output(strip_tags, value, output)
154 157
self.check_output(strip_tags, lazystr(value), output)
155 158 156 -
def test_strip_tags_suspicious_operation(self):
159 +
def test_strip_tags_suspicious_operation_max_depth(self):
157 160
value = "<" * 51 + "a>" * 51, "<a>"
158 161
with self.assertRaises(SuspiciousOperation):
159 162
strip_tags(value)
160 163 164 +
def test_strip_tags_suspicious_operation_large_open_tags(self):
165 +
items = [
166 +
">" + "<a" * 501,
167 +
"<a" * 50 + "a" * 950,
168 +
]
169 +
for value in items:
170 +
with self.subTest(value=value):
171 +
with self.assertRaises(SuspiciousOperation):
172 +
strip_tags(value)
173 + 161 174
def test_strip_tags_files(self):
162 175
# Test with more lengthy content (also catching performance regressions)
163 176
for filename in ("strip_tags1.html", "strip_tags2.txt"):
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4