summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/internals/security.txt26
-rw-r--r--docs/ref/templates/builtins.txt11
2 files changed, 26 insertions, 11 deletions
diff --git a/docs/internals/security.txt b/docs/internals/security.txt
index e4801c19ee..3a9905095c 100644
--- a/docs/internals/security.txt
+++ b/docs/internals/security.txt
@@ -168,6 +168,32 @@ Django contains many private and undocumented functions that are not part of
its public API. If a vulnerability depends on directly calling these internal
functions in an unsafe way, it will not be considered a valid security issue.
+Content displayed by the Django Template Language must be under 100 KB
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The Django Template Language (DTL) is designed for building the content needed
+to display web pages. In particular its text filters are meant for that kind of
+usage.
+
+For reference, the complete works of Shakespeare have about 3.5 million bytes
+in plain-text ASCII encoding. Displaying such in a single request is beyond the
+scope of almost all websites, and so outside the scope of the DTL too.
+
+Text processing is expensive. Django makes no guarantee that DTL text filters
+are never subject to degraded performance if passed deliberately crafted,
+sufficiently large inputs. Under default configurations, Django makes it
+difficult for sites to accidentally accept such payloads from untrusted
+sources, but, if it is necessary to display large amounts of user-provided
+content, it’s important that basic security measures are taken.
+
+User-provided content should always be constrained to known maximum length. It
+should be filtered to remove malicious content, and validated to match expected
+formats. It should then be processed offline, if necessary, before being
+displayed.
+
+Proof of concepts which use over 100 KB of data to be processed by the DTL will
+be considered invalid.
+
.. _security-report-evaluation:
How does Django evaluate a report
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
index 7d2cf93085..b6e00eb9b1 100644
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -2932,17 +2932,6 @@ Django's built-in :tfilter:`escape` filter. The default value for
email addresses that contain single quotes (``'``), things won't work as
expected. Apply this filter only to plain text.
-.. warning::
-
- Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which
- can become severe when applied to user controlled values such as content
- stored in a :class:`~django.db.models.TextField`. You can use
- :tfilter:`truncatechars` to add a limit to such inputs:
-
- .. code-block:: html+django
-
- {{ value|truncatechars:500|urlize }}
-
.. templatefilter:: urlizetrunc
``urlizetrunc``