[5.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().

Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
author: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-04-08 16:30:17 +0200
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-05-06 22:24:24 -0300
commit: c9731dc656e533187b021b4d81f8293d6c943a43 (patch)
tree: e44405691249df1dba344eb9f9b36acb361958a9 /django/utils/html.py
parent: ae6b5df711fa47f626cdf4b07a8751d9752b367a (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/django/utils/html.py b/django/utils/html.py
index 5ac07ba0ee..91224d20b2 100644
--- a/django/utils/html.py
+++ b/django/utils/html.py
@@ -42,6 +42,9 @@ VOID_ELEMENTS = frozenset(
 
 MAX_STRIP_TAGS_DEPTH = 50
 
+# HTML tag that opens but has no closing ">" after 1k+ chars.
+long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}")
+
 
 @keep_lazy(SafeString)
 def escape(text):
@@ -213,6 +216,9 @@ def _strip_once(value):
 def strip_tags(value):
     """Return the given HTML with all tags stripped."""
     value = str(value)
+    for long_open_tag in long_open_tag_without_closing_re.finditer(value):
+        if long_open_tag.group().count("<") >= MAX_STRIP_TAGS_DEPTH:
+            raise SuspiciousOperation
     # Note: in typical case this loop executes _strip_once twice (the second
     # execution does not remove any more tags).
     strip_tags_depth = 0
author	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-04-08 16:30:17 +0200
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-05-06 22:24:24 -0300
commit	c9731dc656e533187b021b4d81f8293d6c943a43 (patch)
tree	e44405691249df1dba344eb9f9b36acb361958a9 /django/utils/html.py
parent	ae6b5df711fa47f626cdf4b07a8751d9752b367a (diff)