django.git/tests/utils_tests/test_text.py, branch stable/5.2.x

[5.2.x] Fixed #36944 -- Removed MAX_LENGTH_HTML and related 5M chars limit references from HTML truncation docs.

2026-02-25T16:12:17Z

Backport of bbc6818bc12f14c1764a7eb68556018195f56b59 from main.

[5.2.x] Fixed CVE-2026-1285 -- Mitigated potential DoS in django.utils.text.Truncator for HTML input.

2026-02-03T13:15:39Z

The `TruncateHTMLParser` used `deque.remove()` to remove tags from the stack when processing end tags. With crafted input containing many unmatched end tags, this caused repeated full scans of the tag stack, leading to quadratic time complexity. The fix uses LIFO semantics, only removing a tag from the stack when it matches the most recently opened tag. This avoids linear scans for unmatched end tags and reduces complexity to linear time. Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161. Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for reviews. Backport of a33540b3e20b5d759aa8b2e4b9ca0e8edd285344 from main.

[5.2.x] Applied Black's 2025 stable style.

2025-03-01T18:47:17Z

https://github.com/psf/black/releases/tag/25.1.0 Backport of ff3aaf036f0cb66cd8f404cd51c603e68aaa7676 from main

Refs CVE-2024-27351 -- Forwardported release notes and tests.

2024-03-04T07:22:00Z

Co-Authored-By: Mariusz Felisiak

Fixed #30686 -- Used Python HTMLParser in utils.text.Truncator.

2024-02-07T08:46:25Z

Refs #30686 -- Fixed text truncation for negative or zero lengths.

2024-02-07T04:18:35Z

Refs #30686 -- Improved test coverage of Truncator.

2024-02-06T15:35:08Z

Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text.

2023-10-04T12:22:26Z

Thanks Wenchao Li of Alibaba Group for the report.

Removed unnecessary trailing commas in tests.

2023-08-22T10:42:57Z

Refs #33476 -- Refactored code to strictly match 88 characters line length.

2022-02-07T19:37:05Z