Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().

Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-08-04 02:48:35 +00:00 · 2025-04-08 16:30:17 +02:00 · 2025-04-08 16:30:17 +02:00 · 9f3419b519
commit 9f3419b519
parent f7d97dd118
5 changed files with 53 additions and 1 deletions
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@ -145,17 +145,30 @@ class TestUtilsHtml(SimpleTestCase):
            ("><!" + ("&" * 16000) + "D", "><!" + ("&" * 16000) + "D"),
            ("X<<<<br>br>br>br>X", "XX"),
            ("<" * 50 + "a>" * 50, ""),
+            (">" + "<a" * 500 + "a", ">" + "<a" * 500 + "a"),
+            ("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951),
+            ("<" + "a" * 1_002, "<" + "a" * 1_002),
        )
        for value, output in items:
            with self.subTest(value=value, output=output):
                self.check_output(strip_tags, value, output)
                self.check_output(strip_tags, lazystr(value), output)

-    def test_strip_tags_suspicious_operation(self):
+    def test_strip_tags_suspicious_operation_max_depth(self):
        value = "<" * 51 + "a>" * 51, "<a>"
        with self.assertRaises(SuspiciousOperation):
            strip_tags(value)

+    def test_strip_tags_suspicious_operation_large_open_tags(self):
+        items = [
+            ">" + "<a" * 501,
+            "<a" * 50 + "a" * 950,
+        ]
+        for value in items:
+            with self.subTest(value=value):
+                with self.assertRaises(SuspiciousOperation):
+                    strip_tags(value)
+
    def test_strip_tags_files(self):
        # Test with more lengthy content (also catching performance regressions)
        for filename in ("strip_tags1.html", "strip_tags2.txt"):