mirror of
https://github.com/django/django.git
synced 2025-08-04 19:08:28 +00:00
Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
This commit is contained in:
Sarah Boyce
Natalia
parent
f5ddd54986
commit
320dd27412
7 changed files with 46 additions and 9 deletions
|
|
@ -2922,6 +2922,17 @@ Django's built-in :tfilter:`escape` filter. The default value for
|
|||
email addresses that contain single quotes (``'``), things won't work as
|
||||
expected. Apply this filter only to plain text.
|
||||
|
||||
.. warning::
|
||||
|
||||
Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which
|
||||
can become severe when applied to user controlled values such as content
|
||||
stored in a :class:`~django.db.models.TextField`. You can use
|
||||
:tfilter:`truncatechars` to add a limit to such inputs:
|
||||
|
||||
.. code-block:: html+django
|
||||
|
||||
{{ value|truncatechars:500|urlize }}
|
||||
|
||||
.. templatefilter:: urlizetrunc
|
||||
|
||||
``urlizetrunc``
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue