+55
-2
lines changedFilter options
+55
-2
lines changed Original file line number Diff line number Diff line change
@@ -187,8 +187,8 @@ def strip_tags(value):
187 187
value = str(value)
188 188
while '<' in value and '>' in value:
189 189
new_value = _strip_once(value)
190 -
if len(new_value) >= len(value):
191 -
# _strip_once was not able to detect more tags
190 +
if value.count('<') == new_value.count('<'):
191 +
# _strip_once wasn't able to detect more tags.
192 192
break
193 193
value = new_value
194 194
return value
@@ -19,3 +19,20 @@ filters, which were thus vulnerable.
19 19
The regular expressions used by ``Truncator`` have been simplified in order to
20 20
avoid potential backtracking issues. As a consequence, trailing punctuation may
21 21
now at times be included in the truncated output.
22 + 23 +
CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``
24 +
=================================================================
25 + 26 +
Due to the behavior of the underlying ``HTMLParser``,
27 +
:func:`django.utils.html.strip_tags` would be extremely slow to evaluate
28 +
certain inputs containing large sequences of nested incomplete HTML entities.
29 +
The ``strip_tags()`` method is used to implement the corresponding
30 +
:tfilter:`striptags` template filter, which was thus also vulnerable.
31 + 32 +
``strip_tags()`` now avoids recursive calls to ``HTMLParser`` when progress
33 +
removing tags, but necessarily incomplete HTML entities, stops being made.
34 + 35 +
Remember that absolutely NO guarantee is provided about the results of
36 +
``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
37 +
``strip_tags()`` call without escaping it first, for example with
38 +
:func:`django.utils.html.escape`.
Original file line number Diff line number Diff line change
@@ -19,3 +19,20 @@ filters, which were thus vulnerable.
19 19
The regular expressions used by ``Truncator`` have been simplified in order to
20 20
avoid potential backtracking issues. As a consequence, trailing punctuation may
21 21
now at times be included in the truncated output.
22 + 23 +
CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``
24 +
=================================================================
25 + 26 +
Due to the behavior of the underlying ``HTMLParser``,
27 +
:func:`django.utils.html.strip_tags` would be extremely slow to evaluate
28 +
certain inputs containing large sequences of nested incomplete HTML entities.
29 +
The ``strip_tags()`` method is used to implement the corresponding
30 +
:tfilter:`striptags` template filter, which was thus also vulnerable.
31 + 32 +
``strip_tags()`` now avoids recursive calls to ``HTMLParser`` when progress
33 +
removing tags, but necessarily incomplete HTML entities, stops being made.
34 + 35 +
Remember that absolutely NO guarantee is provided about the results of
36 +
``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
37 +
``strip_tags()`` call without escaping it first, for example with
38 +
:func:`django.utils.html.escape`.
Original file line number Diff line number Diff line change
@@ -20,6 +20,23 @@ The regular expressions used by ``Truncator`` have been simplified in order to
20 20
avoid potential backtracking issues. As a consequence, trailing punctuation may
21 21
now at times be included in the truncated output.
22 22 23 +
CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``
24 +
=================================================================
25 + 26 +
Due to the behavior of the underlying ``HTMLParser``,
27 +
:func:`django.utils.html.strip_tags` would be extremely slow to evaluate
28 +
certain inputs containing large sequences of nested incomplete HTML entities.
29 +
The ``strip_tags()`` method is used to implement the corresponding
30 +
:tfilter:`striptags` template filter, which was thus also vulnerable.
31 + 32 +
``strip_tags()`` now avoids recursive calls to ``HTMLParser`` when progress
33 +
removing tags, but necessarily incomplete HTML entities, stops being made.
34 + 35 +
Remember that absolutely NO guarantee is provided about the results of
36 +
``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
37 +
``strip_tags()`` call without escaping it first, for example with
38 +
:func:`django.utils.html.escape`.
39 + 23 40
Bugfixes
24 41
========
25 42
@@ -88,6 +88,8 @@ def test_strip_tags(self):
88 88
('&gotcha&#;<>', '&gotcha&#;<>'),
89 89
('<sc<!-- -->ript>test<<!-- -->/script>', 'ript>test'),
90 90
('<script>alert()</script>&h', 'alert()h'),
91 +
('><!' + ('&' * 16000) + 'D', '><!' + ('&' * 16000) + 'D'),
92 +
('X<<<<br>br>br>br>X', 'XX'),
91 93
)
92 94
for value, output in items:
93 95
with self.subTest(value=value, output=output):
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4