From 11243cc8f3b8a60a73e5b9ed2d9c56b4632fc3a3 Mon Sep 17 00:00:00 2001 From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Date: Fri, 21 Feb 2025 16:47:59 +0100 Subject: [5.1.x] Added security guideline on reasonable size limitations when rendering content via the DTL. This also removes the need to add warnings for every Django template filter. Backport of 582ba18d56167587e290545f113d3956e73a5801 from main. --- docs/ref/templates/builtins.txt | 11 ----------- 1 file changed, 11 deletions(-) (limited to 'docs/ref') diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 7d2cf93085..b6e00eb9b1 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -2932,17 +2932,6 @@ Django's built-in :tfilter:`escape` filter. The default value for email addresses that contain single quotes (``'``), things won't work as expected. Apply this filter only to plain text. -.. warning:: - - Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which - can become severe when applied to user controlled values such as content - stored in a :class:`~django.db.models.TextField`. You can use - :tfilter:`truncatechars` to add a limit to such inputs: - - .. code-block:: html+django - - {{ value|truncatechars:500|urlize }} - .. templatefilter:: urlizetrunc ``urlizetrunc`` -- cgit v1.3