Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().

Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
author: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-04-08 16:30:17 +0200
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-05-06 22:21:42 -0300
commit: 9f3419b519799d69f2aba70b9d25abe2e70d03e0 (patch)
tree: 79d3c37e81798ca4e419f2df6f1325b7ae51cffb /django/utils
parent: f7d97dd11819be8996798a7197c5695a317334a0 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/django/utils/html.py b/django/utils/html.py
index 8676ae3092..56435eb7e2 100644
--- a/django/utils/html.py
+++ b/django/utils/html.py
@@ -43,6 +43,9 @@ VOID_ELEMENTS = frozenset(
 
 MAX_STRIP_TAGS_DEPTH = 50
 
+# HTML tag that opens but has no closing ">" after 1k+ chars.
+long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}")
+
 
 @keep_lazy(SafeString)
 def escape(text):
@@ -208,6 +211,9 @@ def _strip_once(value):
 def strip_tags(value):
     """Return the given HTML with all tags stripped."""
     value = str(value)
+    for long_open_tag in long_open_tag_without_closing_re.finditer(value):
+        if long_open_tag.group().count("<") >= MAX_STRIP_TAGS_DEPTH:
+            raise SuspiciousOperation
     # Note: in typical case this loop executes _strip_once twice (the second
     # execution does not remove any more tags).
     strip_tags_depth = 0
author	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-04-08 16:30:17 +0200
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-05-06 22:21:42 -0300
commit	9f3419b519799d69f2aba70b9d25abe2e70d03e0 (patch)
tree	79d3c37e81798ca4e419f2df6f1325b7ae51cffb /django/utils
parent	f7d97dd11819be8996798a7197c5695a317334a0 (diff)