django.git/django/utils/html.py, branch stable/5.2.x django http://cgit.adnoto.dev/django.git/atom?h=stable%2F5.2.x 2025-05-07T01:24:24Z [5.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags(). 2025-05-07T01:24:24Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2025-04-08T14:30:17Z urn:sha1:c9731dc656e533187b021b4d81f8293d6c943a43 Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main. [5.2.x] Fixed CVE-2025-27556 -- Mitigated potential DoS in url_has_allowed_host_and_scheme() on Windows. 2025-04-02T08:23:46Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2025-03-06T14:24:56Z urn:sha1:2cb311f7b069723027fb5def4044d1816d7d2afd Thank you sw0rd1ight for the report. Backport of 39e2297210d9d2938c75fc911d45f0e863dc4821 from main. [5.2.x] Fixed #36013 -- Removed use of IDNA-2003 in django.utils.html. 2025-01-23T09:40:58Z Mike Edmunds medmunds@gmail.com 2024-12-15T00:54:42Z urn:sha1:698d05c11c27d4ed5fd75194ac0edcf133bd7600 Removed obsolete and potentially problematic IDNA 2003 ("punycode") encoding of international domain names in smart_urlquote() and Urlizer, which are used (only) by AdminURLFieldWidget and the urlize/urlizetrunc template filters. Changed to use percent-encoded UTF-8, which defers IDNA details to the browser (like other URLs rendered by Django). Backport of 29ba75e6e57414f0e6f9528d08a520b8b931fb28 from main. [5.2.x] Fixed #36017 -- Used EmailValidator in urlize to detect emails. 2025-01-20T13:04:35Z greg marianigregory@pm.me 2025-01-20T07:49:37Z urn:sha1:dab04b89af91467e9a95ffaf30c1904fce7fff47 Backport of 61dae11df52fae71fc3050974ac459f362c9dfd7 from main. Fixed #35998 -- Added caching to django.utils.html.urlize(). 2025-01-14T16:59:32Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2024-10-11T11:44:12Z urn:sha1:b721f127603516c75ebda6912046ff5f0694e150 Fixed #36012 -- Made mailto punctuation percent-encoded in Urlizer. 2024-12-17T09:18:48Z Mike Edmunds medmunds@gmail.com 2024-12-14T23:57:41Z urn:sha1:322e49ba3071022dde96f6aae71a578a1588db33 Urlizer was not properly encoding email addresses containing punctuation in generated mailto links. Per RFC 6068, fixed by percent encoding (urllib.parse.quote) the local and domain address parts. Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags(). 2024-12-04T12:43:13Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2024-11-13T14:06:23Z urn:sha1:49ff1042aa66bb25eda87e9a8ef82f3b0ad4eeba Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart for the reviews. Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters. 2024-09-03T12:22:32Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2024-08-12T13:17:57Z urn:sha1:320dd27412e791e119d088281913d8f649617a13 Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. Refs #34609 -- Fixed deprecation warning stack level in format_html(). 2024-08-27T18:14:50Z Adam Johnson me@adamj.eu 2024-08-27T18:14:50Z urn:sha1:2b71b2c8dcd40f2604310bb3914077320035b399 Co-authored-by: Simon Charette <charette.s@gmail.com> Fixed #35668 -- Added mapping support to format_html_join. 2024-08-20T06:20:34Z nabil-rady midorady9999@gmail.com 2024-08-13T21:58:37Z urn:sha1:231c0d85931b5afde3e3caec0e6bc5ca6132bb7a