From 022ab0a75c76ab2ea31dfcc5f2cf5501e378d397 Mon Sep 17 00:00:00 2001 From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Date: Mon, 12 Aug 2024 15:17:57 +0200 Subject: [5.1.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. --- docs/ref/templates/builtins.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'docs/ref') diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 3e2d63800a..86841b3dbd 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -2932,6 +2932,17 @@ Django's built-in :tfilter:`escape` filter. The default value for email addresses that contain single quotes (``'``), things won't work as expected. Apply this filter only to plain text. +.. warning:: + + Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which + can become severe when applied to user controlled values such as content + stored in a :class:`~django.db.models.TextField`. You can use + :tfilter:`truncatechars` to add a limit to such inputs: + + .. code-block:: html+django + + {{ value|truncatechars:500|urlize }} + .. templatefilter:: urlizetrunc ``urlizetrunc`` -- cgit v1.3