diff options
| author | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2025-02-21 16:47:59 +0100 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2025-02-24 08:59:00 +0100 |
| commit | 11243cc8f3b8a60a73e5b9ed2d9c56b4632fc3a3 (patch) | |
| tree | d4627f17792ba7d798972384cabbc0c8a52168e9 | |
| parent | b80288a16d306c38732706b7847ec7e9dd3f55e8 (diff) | |
[5.1.x] Added security guideline on reasonable size limitations when rendering content via the DTL.
This also removes the need to add warnings for every Django template filter.
Backport of 582ba18d56167587e290545f113d3956e73a5801 from main.
| -rw-r--r-- | docs/internals/security.txt | 26 | ||||
| -rw-r--r-- | docs/ref/templates/builtins.txt | 11 |
2 files changed, 26 insertions, 11 deletions
diff --git a/docs/internals/security.txt b/docs/internals/security.txt index e4801c19ee..3a9905095c 100644 --- a/docs/internals/security.txt +++ b/docs/internals/security.txt @@ -168,6 +168,32 @@ Django contains many private and undocumented functions that are not part of its public API. If a vulnerability depends on directly calling these internal functions in an unsafe way, it will not be considered a valid security issue. +Content displayed by the Django Template Language must be under 100 KB +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Django Template Language (DTL) is designed for building the content needed +to display web pages. In particular its text filters are meant for that kind of +usage. + +For reference, the complete works of Shakespeare have about 3.5 million bytes +in plain-text ASCII encoding. Displaying such in a single request is beyond the +scope of almost all websites, and so outside the scope of the DTL too. + +Text processing is expensive. Django makes no guarantee that DTL text filters +are never subject to degraded performance if passed deliberately crafted, +sufficiently large inputs. Under default configurations, Django makes it +difficult for sites to accidentally accept such payloads from untrusted +sources, but, if it is necessary to display large amounts of user-provided +content, it’s important that basic security measures are taken. + +User-provided content should always be constrained to known maximum length. It +should be filtered to remove malicious content, and validated to match expected +formats. It should then be processed offline, if necessary, before being +displayed. + +Proof of concepts which use over 100 KB of data to be processed by the DTL will +be considered invalid. + .. _security-report-evaluation: How does Django evaluate a report diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 7d2cf93085..b6e00eb9b1 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -2932,17 +2932,6 @@ Django's built-in :tfilter:`escape` filter. The default value for email addresses that contain single quotes (``'``), things won't work as expected. Apply this filter only to plain text. -.. warning:: - - Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which - can become severe when applied to user controlled values such as content - stored in a :class:`~django.db.models.TextField`. You can use - :tfilter:`truncatechars` to add a limit to such inputs: - - .. code-block:: html+django - - {{ value|truncatechars:500|urlize }} - .. templatefilter:: urlizetrunc ``urlizetrunc`` |