diff options
| author | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-11-13 15:06:23 +0100 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-12-04 13:47:21 +0100 |
| commit | bbc74a7f7eb7335e913bdb4787f22e83a9be947e (patch) | |
| tree | e78ebd2894f5515ae0547ae55a9ca6a38c85e59e /tests | |
| parent | 5b4d949d7ca118e70985ffc53f8191b766591c12 (diff) | |
[5.1.x] Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags().
Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart
for the reviews.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/utils_tests/test_html.py | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py index 9bee483dc7..75873061de 100644 --- a/tests/utils_tests/test_html.py +++ b/tests/utils_tests/test_html.py @@ -1,6 +1,7 @@ import os from datetime import datetime +from django.core.exceptions import SuspiciousOperation from django.core.serializers.json import DjangoJSONEncoder from django.test import SimpleTestCase from django.utils.deprecation import RemovedInDjango60Warning @@ -124,12 +125,18 @@ class TestUtilsHtml(SimpleTestCase): ("<script>alert()</script>&h", "alert()h"), ("><!" + ("&" * 16000) + "D", "><!" + ("&" * 16000) + "D"), ("X<<<<br>br>br>br>X", "XX"), + ("<" * 50 + "a>" * 50, ""), ) for value, output in items: with self.subTest(value=value, output=output): self.check_output(strip_tags, value, output) self.check_output(strip_tags, lazystr(value), output) + def test_strip_tags_suspicious_operation(self): + value = "<" * 51 + "a>" * 51, "<a>" + with self.assertRaises(SuspiciousOperation): + strip_tags(value) + def test_strip_tags_files(self): # Test with more lengthy content (also catching performance regressions) for filename in ("strip_tags1.html", "strip_tags2.txt"): |