[4.2.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters.

Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
author: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2024-08-12 15:17:57 +0200
committer: Natalia <124304+nessita@users.noreply.github.com> 2024-09-03 09:42:15 -0300
commit: d147a8ebbdf28c17cafbbe2884f0bc57e2bf82e2 (patch)
tree: 490946e5437ffb064fe1f2e655f7e6566d8c7257 /docs/ref
parent: 705066d186ce880bf64142e47084f3d8df3c2352 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
index 39aa398338..dda5b42655 100644
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -2831,6 +2831,17 @@ Django's built-in :tfilter:`escape` filter. The default value for
     email addresses that contain single quotes (``'``), things won't work as
     expected. Apply this filter only to plain text.
 
+.. warning::
+
+    Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which
+    can become severe when applied to user controlled values such as content
+    stored in a :class:`~django.db.models.TextField`. You can use
+    :tfilter:`truncatechars` to add a limit to such inputs:
+
+    .. code-block:: html+django
+
+        {{ value|truncatechars:500|urlize }}
+
 .. templatefilter:: urlizetrunc
 
 ``urlizetrunc``
author	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2024-08-12 15:17:57 +0200
committer	Natalia <124304+nessita@users.noreply.github.com>	2024-09-03 09:42:15 -0300
commit	d147a8ebbdf28c17cafbbe2884f0bc57e2bf82e2 (patch)
tree	490946e5437ffb064fe1f2e655f7e6566d8c7257 /docs/ref
parent	705066d186ce880bf64142e47084f3d8df3c2352 (diff)