django.git - django

Age	Commit message (Collapse)	Author
2025-12-17	Fixed #32568 -- Replaced mark_safe() with SafeString for literal values.	Pravin Kamble
	Replaced instances of mark_safe('some string literal') with SafeString to avoid the overhead of managing lazy objects. Thanks Tim McCurrach for the idea and David Smith and Jacob Walls for reviews.
2025-11-20	Fixed #36737 -- Escaped further control characters in escapejs.	farthestmage

2025-11-07	Fixed #36705 -- Avoided string concatenation in utils.	Kasyap Pentamaraju
	Repeated string concatenation performs poorly on PyPy. Thanks Seokchan Yoon for the report.
2025-11-05	Fixed #36710 -- Fixed a regression in urlize for multipart domain names.	Mehraz Hossain Rumman
	Thanks Mehraz Hossain Rumman for the report and Bruno Alla for the triage. Regression in a9fe98d5bd4212d069afe8316101984aadecfbb2.
2025-08-28	Fixed #35533 -- Prevented urlize creating broken links given a markdown link ↵	SaJH
	input. Signed-off-by: SaJH <wogur981208@gmail.com>
2025-07-23	Refs #36500 -- Rewrapped long docstrings and block comments via a script.	django-bot
	Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505.
2025-05-06	Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().	Sarah Boyce
	Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-04-02	Fixed CVE-2025-27556 -- Mitigated potential DoS in ↵	Sarah Boyce
	url_has_allowed_host_and_scheme() on Windows. Thank you sw0rd1ight for the report.
2025-03-19	Fixed #36000 -- Deprecated HTTP as the default protocol in urlize and ↵	Ahmed Nassar
	urlizetrunc.
2025-01-23	Fixed #36013 -- Removed use of IDNA-2003 in django.utils.html.	Mike Edmunds
	Removed obsolete and potentially problematic IDNA 2003 ("punycode") encoding of international domain names in smart_urlquote() and Urlizer, which are used (only) by AdminURLFieldWidget and the urlize/urlizetrunc template filters. Changed to use percent-encoded UTF-8, which defers IDNA details to the browser (like other URLs rendered by Django).
2025-01-20	Fixed #36017 -- Used EmailValidator in urlize to detect emails.	greg

2025-01-15	Refs #34609 -- Removed support for calling format_html() without arguments ↵	Sarah Boyce
	per deprecation timeline.
2025-01-14	Fixed #35998 -- Added caching to django.utils.html.urlize().	Sarah Boyce

2024-12-17	Fixed #36012 -- Made mailto punctuation percent-encoded in Urlizer.	Mike Edmunds
	Urlizer was not properly encoding email addresses containing punctuation in generated mailto links. Per RFC 6068, fixed by percent encoding (urllib.parse.quote) the local and domain address parts.
2024-12-04	Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags().	Sarah Boyce
	Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart for the reviews.
2024-09-03	Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc ↵	Sarah Boyce
	template filters. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2024-08-27	Refs #34609 -- Fixed deprecation warning stack level in format_html().	Adam Johnson
	Co-authored-by: Simon Charette <charette.s@gmail.com>
2024-08-20	Fixed #35668 -- Added mapping support to format_html_join.	nabil-rady

2024-08-06	Fixed CVE-2024-41991 -- Prevented potential ReDoS in ↵	Mariusz Felisiak
	django.utils.html.urlize() and AdminURLFieldWidget. Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-08-06	Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc ↵	Sarah Boyce
	template filters. Thanks to MProgrammer for the report.
2024-07-09	Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and urlizetrunc ↵	Adam Johnson
	template filters. Thank you to Elias Myllymäki for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-03-14	Refs #30686 -- Made django.utils.html.VOID_ELEMENTS a frozenset.	Nick Pope

2023-07-14	Refs #30686 -- Moved Parser.SELF_CLOSING_TAGS to django.utils.html.VOID_ELEMENTS	David Smith

2023-06-06	Fixed #34609 -- Deprecated calling format_html() without arguments.	devilsautumn

2023-01-18	Refs #34233 -- Used str.removeprefix()/removesuffix().	Mariusz Felisiak

2022-11-10	Updated documentation and comments for RFC updates.	Nick Pope
	- Updated references to RFC 1123 to RFC 5322 - Only partial as RFC 5322 sort of sub-references RFC 1123. - Updated references to RFC 2388 to RFC 7578 - Except RFC 2388 Section 5.3 which has no equivalent. - Updated references to RFC 2396 to RFC 3986 - Updated references to RFC 2616 to RFC 9110 - Updated references to RFC 3066 to RFC 5646 - Updated references to RFC 7230 to RFC 9112 - Updated references to RFC 7231 to RFC 9110 - Updated references to RFC 7232 to RFC 9110 - Updated references to RFC 7234 to RFC 9111 - Tidied up style of text when referring to RFC documents
2022-06-28	Fixed #33779 -- Allowed customizing encoder class in ↵	Hrushikesh Vaidya
	django.utils.html.json_script().
2022-02-21	Removed unnecessary str type from @keep_lazy decorator for escape()/escapejs().	Mariusz Felisiak

2022-02-10	Refs #32568 -- Optimized escape() by using SafeString instead of mark_safe().	David

2022-02-07	Refs #33476 -- Reformatted code with Black.	django-bot

2021-11-22	Fixed #33302 -- Made element_id optional argument for json_script template ↵	Baptiste Mispelon
	filter. Added versionchanged note in documentation
2021-11-03	Refs #33245 -- Minor edits to django.utils.html.urlize() changes.	tim-mccurrach
	Follow up to ad81b606a2b5276397460a654fc7ad901a54b91e.
2021-11-01	Fixed #33245 -- Made django.utils.html.urlize() thread-safe.	Timothy McCurrach
	Regression in e567670b1abe61af4acfaa6a6a7e92a7acfa8b00.
2021-10-15	Fixed #33195 -- Refactored urlize() based on a class.	Claude Paroz
	This allows easier customization/
2021-10-14	Removed unused DOTS list.	Claude Paroz
	Unused since 4ff389dcdc15884eef059b2b8dea4b710e0a3b98.
2021-07-07	Fixed #32866 -- Fixed trimming trailing punctuation from escaped string in ↵	Shipeng Feng
	urlize().
2019-11-25	Removed unused unencoded_ampersands_re regex.	Baptiste Mispelon
	Unused since 8b81dee60c1533e714a310fa5c3907356042a64c.
2019-10-29	Fixed #30899 -- Lazily compiled import time regular expressions.	Hasan Ramezani

2019-08-01	Fixed CVE-2019-14233 -- Prevented excessive HTMLParser recursion in ↵	Florian Apolloner
	strip_tags() when handling incomplete HTML entities. Thanks to Guido Vranken for initial report.
2019-07-03	Refs #30608 -- Added django.utils.encoding.punycode().	Mariusz Felisiak

2019-07-02	Fixed typos in comments and docs.	Min ho Kim

2019-04-25	Fixed #30399 -- Changed django.utils.html.escape()/urlize() to use ↵	Jon Dufresne
	html.escape()/unescape().
2019-02-06	Refs #27753 -- Favored SafeString over SafeText.	Tim Graham

2018-10-12	Simplified django.utils.html.urlize().	Tim Graham

2018-10-12	Refs #29826 -- Removed unused characters from urlize configuration.	Tim Graham
	The HTML characters are unused because urlize is meant to be applied to plain text and these characters aren't properly detected (refs #29826). Angle brackets and quotes are present in word_split_re and therefore won't be used in WRAPPING_PUNCTUATION.
2018-09-28	Refs #28909 -- Simplifed code using unpacking generalizations.	Sergey Fedoseev

2018-09-26	Refs #29784 -- Switched to https:// links where available.	Jon Dufresne

2018-08-21	Fixed #29654 -- Made text truncation an ellipsis character instead of three ↵	Claude Paroz
	dots. Thanks Sudhanshu Mishra for the initial patch and Tim Graham for the review.
2018-03-06	Fixed CVE-2018-7536 -- Fixed catastrophic backtracking in urlize and ↵	Tim Graham
	urlizetrunc template filters. Thanks Florian Apolloner for assisting with the patch.
2018-02-09	Refs #27795 -- Replaced force_text() calls with str() in django.utils.html.	Jon Dufresne