[5.1.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().

Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
author: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-04-08 16:30:17 +0200
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-05-06 22:31:16 -0300
commit: 0b42f6a528df966729b24ecaaed67f85e5edc3dc (patch)
tree: d6173a95a2babd9ce9740b4d710c54566378d3f7 /django/utils/html.py
parent: 1520d18e9c65a95339dc453a655ac91489532e9c (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/django/utils/html.py b/django/utils/html.py
index 8892b9a740..0f0041f34b 100644
--- a/django/utils/html.py
+++ b/django/utils/html.py
@@ -41,6 +41,9 @@ VOID_ELEMENTS = frozenset(
 
 MAX_STRIP_TAGS_DEPTH = 50
 
+# HTML tag that opens but has no closing ">" after 1k+ chars.
+long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}")
+
 
 @keep_lazy(SafeString)
 def escape(text):
@@ -207,6 +210,9 @@ def _strip_once(value):
 def strip_tags(value):
     """Return the given HTML with all tags stripped."""
     value = str(value)
+    for long_open_tag in long_open_tag_without_closing_re.finditer(value):
+        if long_open_tag.group().count("<") >= MAX_STRIP_TAGS_DEPTH:
+            raise SuspiciousOperation
     # Note: in typical case this loop executes _strip_once twice (the second
     # execution does not remove any more tags).
     strip_tags_depth = 0
author	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-04-08 16:30:17 +0200
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-05-06 22:31:16 -0300
commit	0b42f6a528df966729b24ecaaed67f85e5edc3dc (patch)
tree	d6173a95a2babd9ce9740b4d710c54566378d3f7 /django/utils/html.py
parent	1520d18e9c65a95339dc453a655ac91489532e9c (diff)