summaryrefslogtreecommitdiff
path: root/django/utils/html.py
AgeCommit message (Collapse)Author
2025-04-02[5.2.x] Fixed CVE-2025-27556 -- Mitigated potential DoS in ↵Sarah Boyce
url_has_allowed_host_and_scheme() on Windows. Thank you sw0rd1ight for the report. Backport of 39e2297210d9d2938c75fc911d45f0e863dc4821 from main.
2025-01-23[5.2.x] Fixed #36013 -- Removed use of IDNA-2003 in django.utils.html.Mike Edmunds
Removed obsolete and potentially problematic IDNA 2003 ("punycode") encoding of international domain names in smart_urlquote() and Urlizer, which are used (only) by AdminURLFieldWidget and the urlize/urlizetrunc template filters. Changed to use percent-encoded UTF-8, which defers IDNA details to the browser (like other URLs rendered by Django). Backport of 29ba75e6e57414f0e6f9528d08a520b8b931fb28 from main.
2025-01-20[5.2.x] Fixed #36017 -- Used EmailValidator in urlize to detect emails.greg
Backport of 61dae11df52fae71fc3050974ac459f362c9dfd7 from main.
2025-01-14Fixed #35998 -- Added caching to django.utils.html.urlize().Sarah Boyce
2024-12-17Fixed #36012 -- Made mailto punctuation percent-encoded in Urlizer.Mike Edmunds
Urlizer was not properly encoding email addresses containing punctuation in generated mailto links. Per RFC 6068, fixed by percent encoding (urllib.parse.quote) the local and domain address parts.
2024-12-04Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart for the reviews.
2024-09-03Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc ↵Sarah Boyce
template filters. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2024-08-27Refs #34609 -- Fixed deprecation warning stack level in format_html().Adam Johnson
Co-authored-by: Simon Charette <charette.s@gmail.com>
2024-08-20Fixed #35668 -- Added mapping support to format_html_join.nabil-rady
2024-08-06Fixed CVE-2024-41991 -- Prevented potential ReDoS in ↵Mariusz Felisiak
django.utils.html.urlize() and AdminURLFieldWidget. Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-08-06Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc ↵Sarah Boyce
template filters. Thanks to MProgrammer for the report.
2024-07-09Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and urlizetrunc ↵Adam Johnson
template filters. Thank you to Elias Myllymäki for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-03-14Refs #30686 -- Made django.utils.html.VOID_ELEMENTS a frozenset.Nick Pope
2023-07-14Refs #30686 -- Moved Parser.SELF_CLOSING_TAGS to django.utils.html.VOID_ELEMENTSDavid Smith
2023-06-06Fixed #34609 -- Deprecated calling format_html() without arguments.devilsautumn
2023-01-18Refs #34233 -- Used str.removeprefix()/removesuffix().Mariusz Felisiak
2022-11-10Updated documentation and comments for RFC updates.Nick Pope
- Updated references to RFC 1123 to RFC 5322 - Only partial as RFC 5322 sort of sub-references RFC 1123. - Updated references to RFC 2388 to RFC 7578 - Except RFC 2388 Section 5.3 which has no equivalent. - Updated references to RFC 2396 to RFC 3986 - Updated references to RFC 2616 to RFC 9110 - Updated references to RFC 3066 to RFC 5646 - Updated references to RFC 7230 to RFC 9112 - Updated references to RFC 7231 to RFC 9110 - Updated references to RFC 7232 to RFC 9110 - Updated references to RFC 7234 to RFC 9111 - Tidied up style of text when referring to RFC documents
2022-06-28Fixed #33779 -- Allowed customizing encoder class in ↵Hrushikesh Vaidya
django.utils.html.json_script().
2022-02-21Removed unnecessary str type from @keep_lazy decorator for escape()/escapejs().Mariusz Felisiak
2022-02-10Refs #32568 -- Optimized escape() by using SafeString instead of mark_safe().David
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2021-11-22Fixed #33302 -- Made element_id optional argument for json_script template ↵Baptiste Mispelon
filter. Added versionchanged note in documentation
2021-11-03Refs #33245 -- Minor edits to django.utils.html.urlize() changes.tim-mccurrach
Follow up to ad81b606a2b5276397460a654fc7ad901a54b91e.
2021-11-01Fixed #33245 -- Made django.utils.html.urlize() thread-safe.Timothy McCurrach
Regression in e567670b1abe61af4acfaa6a6a7e92a7acfa8b00.
2021-10-15Fixed #33195 -- Refactored urlize() based on a class.Claude Paroz
This allows easier customization/
2021-10-14Removed unused DOTS list.Claude Paroz
Unused since 4ff389dcdc15884eef059b2b8dea4b710e0a3b98.
2021-07-07Fixed #32866 -- Fixed trimming trailing punctuation from escaped string in ↵Shipeng Feng
urlize().
2019-11-25Removed unused unencoded_ampersands_re regex.Baptiste Mispelon
Unused since 8b81dee60c1533e714a310fa5c3907356042a64c.
2019-10-29Fixed #30899 -- Lazily compiled import time regular expressions.Hasan Ramezani
2019-08-01Fixed CVE-2019-14233 -- Prevented excessive HTMLParser recursion in ↵Florian Apolloner
strip_tags() when handling incomplete HTML entities. Thanks to Guido Vranken for initial report.
2019-07-03Refs #30608 -- Added django.utils.encoding.punycode().Mariusz Felisiak
2019-07-02Fixed typos in comments and docs.Min ho Kim
2019-04-25Fixed #30399 -- Changed django.utils.html.escape()/urlize() to use ↵Jon Dufresne
html.escape()/unescape().
2019-02-06Refs #27753 -- Favored SafeString over SafeText.Tim Graham
2018-10-12Simplified django.utils.html.urlize().Tim Graham
2018-10-12Refs #29826 -- Removed unused characters from urlize configuration.Tim Graham
The HTML characters are unused because urlize is meant to be applied to plain text and these characters aren't properly detected (refs #29826). Angle brackets and quotes are present in word_split_re and therefore won't be used in WRAPPING_PUNCTUATION.
2018-09-28Refs #28909 -- Simplifed code using unpacking generalizations.Sergey Fedoseev
2018-09-26Refs #29784 -- Switched to https:// links where available.Jon Dufresne
2018-08-21Fixed #29654 -- Made text truncation an ellipsis character instead of three ↵Claude Paroz
dots. Thanks Sudhanshu Mishra for the initial patch and Tim Graham for the review.
2018-03-06Fixed CVE-2018-7536 -- Fixed catastrophic backtracking in urlize and ↵Tim Graham
urlizetrunc template filters. Thanks Florian Apolloner for assisting with the patch.
2018-02-09Refs #27795 -- Replaced force_text() calls with str() in django.utils.html.Jon Dufresne
2018-02-07Fixed #17419 -- Added json_tag template filter.Jonas Haag
2018-01-21Fixed #29038 -- Removed closing slash from HTML void tags.Jon Dufresne
2017-12-07Refs #23919 -- Replaced super() calls for old-style classes.Nick Pope
2017-10-13Improved performance of utils.html.escape().Tom
2017-09-25Fixed #27857 -- Dropped support for Python 3.4.Tim Graham
2017-04-27Refs #27795 -- Replaced many force_text() with str()Claude Paroz
Thanks Tim Graham for the review.
2017-03-04Fixed #27900 -- Made escapejs escape backticks for use in ES6 template literals.Tim Graham
2017-02-11Refs #27656 -- Updated django.utils docstring verbs according to PEP 257.Anton Samarchyan
2017-02-02Fixed #27803 -- Kept safe status of lazy safe strings in conditional_escapeClaude Paroz