diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/templates/builtins.txt | 11 | ||||
| -rw-r--r-- | docs/releases/4.2.16.txt | 7 |
2 files changed, 17 insertions, 1 deletions
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 39aa398338..dda5b42655 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -2831,6 +2831,17 @@ Django's built-in :tfilter:`escape` filter. The default value for email addresses that contain single quotes (``'``), things won't work as expected. Apply this filter only to plain text. +.. warning:: + + Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which + can become severe when applied to user controlled values such as content + stored in a :class:`~django.db.models.TextField`. You can use + :tfilter:`truncatechars` to add a limit to such inputs: + + .. code-block:: html+django + + {{ value|truncatechars:500|urlize }} + .. templatefilter:: urlizetrunc ``urlizetrunc`` diff --git a/docs/releases/4.2.16.txt b/docs/releases/4.2.16.txt index 9853004386..2a84186867 100644 --- a/docs/releases/4.2.16.txt +++ b/docs/releases/4.2.16.txt @@ -7,4 +7,9 @@ Django 4.2.16 release notes Django 4.2.16 fixes one security issue with severity "moderate" and one security issue with severity "low" in 4.2.15. -... +CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` +=========================================================================================== + +:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential +denial-of-service attack via very large inputs with a specific sequence of +characters. |
