summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2024-08-12 15:17:57 +0200
committerNatalia <124304+nessita@users.noreply.github.com>2024-09-03 09:24:13 -0300
commit022ab0a75c76ab2ea31dfcc5f2cf5501e378d397 (patch)
treefb463682e3ab90de998b49e4b6fdc22b53438e0a /docs/ref
parent62039659603ca0fa2df796d1732c4b414549c52b (diff)
[5.1.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/templates/builtins.txt11
1 files changed, 11 insertions, 0 deletions
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
index 3e2d63800a..86841b3dbd 100644
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -2932,6 +2932,17 @@ Django's built-in :tfilter:`escape` filter. The default value for
email addresses that contain single quotes (``'``), things won't work as
expected. Apply this filter only to plain text.
+.. warning::
+
+ Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which
+ can become severe when applied to user controlled values such as content
+ stored in a :class:`~django.db.models.TextField`. You can use
+ :tfilter:`truncatechars` to add a limit to such inputs:
+
+ .. code-block:: html+django
+
+ {{ value|truncatechars:500|urlize }}
+
.. templatefilter:: urlizetrunc
``urlizetrunc``