diff options
Diffstat (limited to 'docs/releases/4.2.21.txt')
| -rw-r--r-- | docs/releases/4.2.21.txt | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/docs/releases/4.2.21.txt b/docs/releases/4.2.21.txt index 306269a3e7..cc39105a01 100644 --- a/docs/releases/4.2.21.txt +++ b/docs/releases/4.2.21.txt @@ -7,6 +7,17 @@ Django 4.2.21 release notes Django 4.2.21 fixes a security issue with severity "moderate", a data loss bug, and a regression in 4.2.20. +CVE-2025-32873: Denial-of-service possibility in ``strip_tags()`` +================================================================= + +:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs +containing large sequences of incomplete HTML tags. This function is used to +implement the :tfilter:`striptags` template filter, which was thus also +vulnerable. + +:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation` +exception if it encounters an unusually large number of unclosed opening tags. + Bugfixes ======== |