Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().

Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
author: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-04-08 16:30:17 +0200
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-05-06 22:21:42 -0300
commit: 9f3419b519799d69f2aba70b9d25abe2e70d03e0 (patch)
tree: 79d3c37e81798ca4e419f2df6f1325b7ae51cffb /docs/releases/4.2.21.txt
parent: f7d97dd11819be8996798a7197c5695a317334a0 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/docs/releases/4.2.21.txt b/docs/releases/4.2.21.txt
index 306269a3e7..cc39105a01 100644
--- a/docs/releases/4.2.21.txt
+++ b/docs/releases/4.2.21.txt
@@ -7,6 +7,17 @@ Django 4.2.21 release notes
 Django 4.2.21 fixes a security issue with severity "moderate", a data loss bug,
 and a regression in 4.2.20.
 
+CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
+=================================================================
+
+:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
+containing large sequences of incomplete HTML tags. This function is used to
+implement the :tfilter:`striptags` template filter, which was thus also
+vulnerable.
+
+:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
+exception if it encounters an unusually large number of unclosed opening tags.
+
 Bugfixes
 ========
author	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-04-08 16:30:17 +0200
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-05-06 22:21:42 -0300
commit	9f3419b519799d69f2aba70b9d25abe2e70d03e0 (patch)
tree	79d3c37e81798ca4e419f2df6f1325b7ae51cffb /docs/releases/4.2.21.txt
parent	f7d97dd11819be8996798a7197c5695a317334a0 (diff)