[4.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().

Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
author: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-04-08 16:30:17 +0200
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-05-06 22:36:15 -0300
commit: 9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c (patch)
tree: a016a9d3043f023d15f857053a318a61116c463a /docs
parent: ca31ca09f7ae5abab76012752a24a317544cdc2d (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/docs/releases/4.2.21.txt b/docs/releases/4.2.21.txt
index 306269a3e7..cc39105a01 100644
--- a/docs/releases/4.2.21.txt
+++ b/docs/releases/4.2.21.txt
@@ -7,6 +7,17 @@ Django 4.2.21 release notes
 Django 4.2.21 fixes a security issue with severity "moderate", a data loss bug,
 and a regression in 4.2.20.
 
+CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
+=================================================================
+
+:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
+containing large sequences of incomplete HTML tags. This function is used to
+implement the :tfilter:`striptags` template filter, which was thus also
+vulnerable.
+
+:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
+exception if it encounters an unusually large number of unclosed opening tags.
+
 Bugfixes
 ========
author	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-04-08 16:30:17 +0200
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-05-06 22:36:15 -0300
commit	9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c (patch)
tree	a016a9d3043f023d15f857053a318a61116c463a /docs
parent	ca31ca09f7ae5abab76012752a24a317544cdc2d (diff)