django.git/django/utils/text.py, branch stable/4.2.x django http://cgit.adnoto.dev/django.git/atom?h=stable%2F4.2.x 2026-02-03T13:25:31Z [4.2.x] Fixed CVE-2026-1285 -- Mitigated potential DoS in django.utils.text.Truncator for HTML input. 2026-02-03T13:25:31Z Natalia 124304+nessita@users.noreply.github.com 2026-01-21T18:24:55Z urn:sha1:b40cfc6052ced26dcd8166a58ea6f841d0d2cac8 The `TruncateHTMLParser` used `deque.remove()` to remove tags from the stack when processing end tags. With crafted input containing many unmatched end tags, this caused repeated full scans of the tag stack, leading to quadratic time complexity. The fix uses LIFO semantics, only removing a tag from the stack when it matches the most recently opened tag. This avoids linear scans for unmatched end tags and reduces complexity to linear time. Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161. Thanks Seokchan Yoon for the report. Backport of a33540b3e20b5d759aa8b2e4b9ca0e8edd285344 from main. [4.2.x] Fixed #36341 -- Preserved whitespaces in wordwrap template filter. 2025-04-23T20:33:02Z Matti Pohjanvirta matti.pohjanvirta@iki.fi 2025-04-20T15:22:51Z urn:sha1:e61e3daaf037507211028494d61f24382be31e5a Regression in 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b. This work improves the django.utils.text.wrap() function to ensure that empty lines and lines with whitespace only are kept instead of being dropped. Thanks Matti Pohjanvirta for the report and fix. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 1e9db35836d42a3c72f3d1015c2f302eb6fee046 from main. [4.2.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap template filter. 2025-03-06T09:01:44Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2025-02-25T08:40:54Z urn:sha1:e88f7376fe68dbf4ebaf11fad1513ce700b45860 Thanks sw0rd1ight for the report. Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main. [4.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words(). 2024-03-04T07:36:56Z Shai Berger shai@platonix.com 2024-02-19T12:56:37Z urn:sha1:3c9a2771cc80821e041b16eb36c1c37af5349d4a Thanks Seokchan Yoon for the report. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com> [4.2.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text. 2023-10-04T12:39:49Z Natalia 124304+nessita@users.noreply.github.com 2023-09-19T12:51:48Z urn:sha1:be9c27c4d18c2e6a5be8af4e53c0797440794473 Thanks Wenchao Li of Alibaba Group for the report. Fixed #34170 -- Implemented Heal The Breach (HTB) in GzipMiddleware. 2022-12-17T07:46:37Z Andreas Pelme andreas@pelme.se 2022-11-20T20:46:55Z urn:sha1:ab7a85ac297464df82d8363455609979ca3603db Refs #33476 -- Reformatted code with Black. 2022-02-07T19:37:05Z django-bot ops@djangoproject.com 2022-02-03T19:24:19Z urn:sha1:9c19aff7c7561e3a82978a272ecdaad40dda5c00 Refs #27753 -- Removed unused django.utils.text._replace_entity() and _entity_re. 2021-12-30T12:19:25Z Mariusz Felisiak felisiak.mariusz@gmail.com 2021-12-30T12:19:25Z urn:sha1:a21a63cc288ba51bcf8c227a49de6f5bb9a72cc3 Unused since 157ab32f3446da7fa1f9d716509c290069a2a156. Fixed unescape_string_literal() crash on empty strings. 2021-12-14T19:19:44Z Florian Apolloner florian@apolloner.eu 2021-12-14T11:38:28Z urn:sha1:e1d673c373a7d032060872b690a92fc95496612e Fixed #32859 -- Simplified compress_string() by using gzip.compress(). 2021-06-21T11:19:11Z Illia Volochii illia.volochii@gmail.com 2021-06-17T16:36:44Z urn:sha1:5a468b4c085900ba28b7f8dfa2cb0b50d7699aa6