diff options
| author | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-11-13 15:06:23 +0100 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-12-04 14:32:08 +0100 |
| commit | 790eb058b0716c536a2f2e8d1c6d5079d776c22b (patch) | |
| tree | 92748eee09f50fbeb18f3fb83797b9f6c04ec7a1 /tests | |
| parent | f663277a4c22ef96cbdebfd0ed76155b9d37b4f8 (diff) | |
[4.2.x] Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags().
Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart
for the reviews.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/utils_tests/test_html.py | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py index 7ff5020fb6..579bb2a1e3 100644 --- a/tests/utils_tests/test_html.py +++ b/tests/utils_tests/test_html.py @@ -1,6 +1,7 @@ import os from datetime import datetime +from django.core.exceptions import SuspiciousOperation from django.core.serializers.json import DjangoJSONEncoder from django.test import SimpleTestCase from django.utils.functional import lazystr @@ -113,12 +114,18 @@ class TestUtilsHtml(SimpleTestCase): ("<script>alert()</script>&h", "alert()h"), ("><!" + ("&" * 16000) + "D", "><!" + ("&" * 16000) + "D"), ("X<<<<br>br>br>br>X", "XX"), + ("<" * 50 + "a>" * 50, ""), ) for value, output in items: with self.subTest(value=value, output=output): self.check_output(strip_tags, value, output) self.check_output(strip_tags, lazystr(value), output) + def test_strip_tags_suspicious_operation(self): + value = "<" * 51 + "a>" * 51, "<a>" + with self.assertRaises(SuspiciousOperation): + strip_tags(value) + def test_strip_tags_files(self): # Test with more lengthy content (also catching performance regressions) for filename in ("strip_tags1.html", "strip_tags2.txt"): |