[4.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().

Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
author: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-04-08 16:30:17 +0200
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-05-06 22:36:15 -0300
commit: 9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c (patch)
tree: a016a9d3043f023d15f857053a318a61116c463a /django/utils/html.py
parent: ca31ca09f7ae5abab76012752a24a317544cdc2d (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/django/utils/html.py b/django/utils/html.py
index a3a7238cba..84c37d1186 100644
--- a/django/utils/html.py
+++ b/django/utils/html.py
@@ -17,6 +17,9 @@ from django.utils.text import normalize_newlines
 MAX_URL_LENGTH = 2048
 MAX_STRIP_TAGS_DEPTH = 50
 
+# HTML tag that opens but has no closing ">" after 1k+ chars.
+long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}")
+
 
 @keep_lazy(SafeString)
 def escape(text):
@@ -175,6 +178,9 @@ def _strip_once(value):
 def strip_tags(value):
     """Return the given HTML with all tags stripped."""
     value = str(value)
+    for long_open_tag in long_open_tag_without_closing_re.finditer(value):
+        if long_open_tag.group().count("<") >= MAX_STRIP_TAGS_DEPTH:
+            raise SuspiciousOperation
     # Note: in typical case this loop executes _strip_once twice (the second
     # execution does not remove any more tags).
     strip_tags_depth = 0
author	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-04-08 16:30:17 +0200
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-05-06 22:36:15 -0300
commit	9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c (patch)
tree	a016a9d3043f023d15f857053a318a61116c463a /django/utils/html.py
parent	ca31ca09f7ae5abab76012752a24a317544cdc2d (diff)