django.git/tests/utils_tests/test_text.py, branch stable/4.2.x django http://cgit.adnoto.dev/django.git/atom?h=stable%2F4.2.x 2026-02-03T13:25:31Z [4.2.x] Fixed CVE-2026-1285 -- Mitigated potential DoS in django.utils.text.Truncator for HTML input. 2026-02-03T13:25:31Z Natalia 124304+nessita@users.noreply.github.com 2026-01-21T18:24:55Z urn:sha1:b40cfc6052ced26dcd8166a58ea6f841d0d2cac8 The `TruncateHTMLParser` used `deque.remove()` to remove tags from the stack when processing end tags. With crafted input containing many unmatched end tags, this caused repeated full scans of the tag stack, leading to quadratic time complexity. The fix uses LIFO semantics, only removing a tag from the stack when it matches the most recently opened tag. This avoids linear scans for unmatched end tags and reduces complexity to linear time. Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161. Thanks Seokchan Yoon for the report. Backport of a33540b3e20b5d759aa8b2e4b9ca0e8edd285344 from main. [4.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words(). 2024-03-04T07:36:56Z Shai Berger shai@platonix.com 2024-02-19T12:56:37Z urn:sha1:3c9a2771cc80821e041b16eb36c1c37af5349d4a Thanks Seokchan Yoon for the report. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com> [4.2.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text. 2023-10-04T12:39:49Z Natalia 124304+nessita@users.noreply.github.com 2023-09-19T12:51:48Z urn:sha1:be9c27c4d18c2e6a5be8af4e53c0797440794473 Thanks Wenchao Li of Alibaba Group for the report. Refs #33476 -- Refactored code to strictly match 88 characters line length. 2022-02-07T19:37:05Z Mariusz Felisiak felisiak.mariusz@gmail.com 2022-02-04T07:08:27Z urn:sha1:7119f40c9881666b6f9b5cf7df09ee1d21cc8344 Refs #33476 -- Reformatted code with Black. 2022-02-07T19:37:05Z django-bot ops@djangoproject.com 2022-02-03T19:24:19Z urn:sha1:9c19aff7c7561e3a82978a272ecdaad40dda5c00 Fixed unescape_string_literal() crash on empty strings. 2021-12-14T19:19:44Z Florian Apolloner florian@apolloner.eu 2021-12-14T11:38:28Z urn:sha1:e1d673c373a7d032060872b690a92fc95496612e Added test for ValueErrors in unescape_string_literal(). 2021-12-14T19:18:43Z Florian Apolloner florian@apolloner.eu 2021-12-14T19:16:41Z urn:sha1:5d9c512e5b42e1c686300c214453bf0b820d7326 Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-05-04T06:44:42Z Florian Apolloner florian@apolloner.eu 2021-04-14T16:23:44Z urn:sha1:0b79eb36915d178aef5c6a7bbce71b1e76d376d3 Refs #27753 -- Removed django.utils.text.unescape_entities() per deprecation timeline. 2021-01-14T16:50:04Z Mariusz Felisiak felisiak.mariusz@gmail.com 2021-01-07T07:09:04Z urn:sha1:157ab32f3446da7fa1f9d716509c290069a2a156 Refs #27804 -- Used subTest() in tests.utils_tests.test_text. 2020-06-04T09:16:21Z Jon Dufresne jon.dufresne@gmail.com 2020-06-04T09:16:21Z urn:sha1:f47d5aac622c334ebeba06b7460204aeb98661e2