django.git/tests/utils_tests/test_text.py, branch main django http://cgit.adnoto.dev/django.git/atom?h=main 2026-03-09T12:41:00Z Fixed #36293 -- Avoided buffering streaming responses in GZipMiddleware. 2026-03-09T12:41:00Z farhan farhanalirazaazeemi@gmail.com 2025-12-13T18:33:33Z urn:sha1:12bb16da8fbadac34e2de318cc79d7d765f35a96 This avoids latency and/or blocking. The example of streaming a CSV file was rewritten to employ batching for greater efficiency in all layers (db, HTTP, etc.). The improved performance from batching should outweigh the drag introduced by an additional byte for each flush. Co-authored-by: huoyinghui <huoyinghui@users.noreply.github.com> Fixed #36944 -- Removed MAX_LENGTH_HTML and related 5M chars limit references from HTML truncation docs. 2026-02-25T16:08:52Z Natalia 124304+nessita@users.noreply.github.com 2026-02-25T13:37:38Z urn:sha1:bbc6818bc12f14c1764a7eb68556018195f56b59 Fixed CVE-2026-1285 -- Mitigated potential DoS in django.utils.text.Truncator for HTML input. 2026-02-03T12:54:16Z Natalia 124304+nessita@users.noreply.github.com 2026-01-21T12:53:10Z urn:sha1:a33540b3e20b5d759aa8b2e4b9ca0e8edd285344 The `TruncateHTMLParser` used `deque.remove()` to remove tags from the stack when processing end tags. With crafted input containing many unmatched end tags, this caused repeated full scans of the tag stack, leading to quadratic time complexity. The fix uses LIFO semantics, only removing a tag from the stack when it matches the most recently opened tag. This avoids linear scans for unmatched end tags and reduces complexity to linear time. Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161. Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for reviews. Applied Black's 2025 stable style. 2025-03-01T18:41:37Z Mariusz Felisiak felisiak.mariusz@gmail.com 2025-03-01T18:41:37Z urn:sha1:ff3aaf036f0cb66cd8f404cd51c603e68aaa7676 https://github.com/psf/black/releases/tag/25.1.0 Refs CVE-2024-27351 -- Forwardported release notes and tests. 2024-03-04T07:22:00Z Shai Berger shai@platonix.com 2024-02-19T12:56:37Z urn:sha1:f6ad8c7676f85dfde5a279b6b1469251421289e2 Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com> Fixed #30686 -- Used Python HTMLParser in utils.text.Truncator. 2024-02-07T08:46:25Z David Smith smithdc@gmail.com 2023-01-03T20:48:06Z urn:sha1:6ee37ada3241ed263d8d1c2901b030d964cbd161 Refs #30686 -- Fixed text truncation for negative or zero lengths. 2024-02-07T04:18:35Z David Smith smithdc@gmail.com 2024-02-06T19:52:52Z urn:sha1:70f39e46f86b946c273340d52109824c776ffb4c Refs #30686 -- Improved test coverage of Truncator. 2024-02-06T15:35:08Z David Smith smithdc@gmail.com 2023-01-03T08:17:56Z urn:sha1:48a469395191e87d3b84ad35bae2c8b53d91ed61 Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text. 2023-10-04T12:22:26Z Natalia 124304+nessita@users.noreply.github.com 2023-09-19T12:51:48Z urn:sha1:17b51094d778b421bb2b3aae0c270894b050455d Thanks Wenchao Li of Alibaba Group for the report. Removed unnecessary trailing commas in tests. 2023-08-22T10:42:57Z konsti konstin@mailbox.org 2023-08-22T10:42:57Z urn:sha1:48a1929ca050f1333927860ff561f6371706968a