diff options
| author | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-11-13 15:06:23 +0100 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-12-04 13:43:13 +0100 |
| commit | 49ff1042aa66bb25eda87e9a8ef82f3b0ad4eeba (patch) | |
| tree | 558610a31cb43f7bdc37afaaf619374ac0e43579 /tests/utils_tests | |
| parent | 58e548db8b74e3d265a2e94816489cd0caeeaf91 (diff) | |
Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags().
Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart
for the reviews.
Diffstat (limited to 'tests/utils_tests')
| -rw-r--r-- | tests/utils_tests/test_html.py | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py index b47919df99..dc3768e6fa 100644 --- a/tests/utils_tests/test_html.py +++ b/tests/utils_tests/test_html.py @@ -1,6 +1,7 @@ import os from datetime import datetime +from django.core.exceptions import SuspiciousOperation from django.core.serializers.json import DjangoJSONEncoder from django.test import SimpleTestCase from django.utils.deprecation import RemovedInDjango60Warning @@ -145,12 +146,18 @@ class TestUtilsHtml(SimpleTestCase): ("<script>alert()</script>&h", "alert()h"), ("><!" + ("&" * 16000) + "D", "><!" + ("&" * 16000) + "D"), ("X<<<<br>br>br>br>X", "XX"), + ("<" * 50 + "a>" * 50, ""), ) for value, output in items: with self.subTest(value=value, output=output): self.check_output(strip_tags, value, output) self.check_output(strip_tags, lazystr(value), output) + def test_strip_tags_suspicious_operation(self): + value = "<" * 51 + "a>" * 51, "<a>" + with self.assertRaises(SuspiciousOperation): + strip_tags(value) + def test_strip_tags_files(self): # Test with more lengthy content (also catching performance regressions) for filename in ("strip_tags1.html", "strip_tags2.txt"): |