diff --git a/docs/internals/security.txt b/docs/internals/security.txt index e4801c19ee..3a9905095c 100644 --- a/docs/internals/security.txt +++ b/docs/internals/security.txt @@ -168,6 +168,32 @@ Django contains many private and undocumented functions that are not part of its public API. If a vulnerability depends on directly calling these internal functions in an unsafe way, it will not be considered a valid security issue. +Content displayed by the Django Template Language must be under 100 KB +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Django Template Language (DTL) is designed for building the content needed +to display web pages. In particular its text filters are meant for that kind of +usage. + +For reference, the complete works of Shakespeare have about 3.5 million bytes +in plain-text ASCII encoding. Displaying such in a single request is beyond the +scope of almost all websites, and so outside the scope of the DTL too. + +Text processing is expensive. Django makes no guarantee that DTL text filters +are never subject to degraded performance if passed deliberately crafted, +sufficiently large inputs. Under default configurations, Django makes it +difficult for sites to accidentally accept such payloads from untrusted +sources, but, if it is necessary to display large amounts of user-provided +content, it’s important that basic security measures are taken. + +User-provided content should always be constrained to known maximum length. It +should be filtered to remove malicious content, and validated to match expected +formats. It should then be processed offline, if necessary, before being +displayed. + +Proof of concepts which use over 100 KB of data to be processed by the DTL will +be considered invalid. + .. _security-report-evaluation: How does Django evaluate a report diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 27644a3152..41ddca8560 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -2922,17 +2922,6 @@ Django's built-in :tfilter:`escape` filter. The default value for email addresses that contain single quotes (``'``), things won't work as expected. Apply this filter only to plain text. -.. warning:: - - Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which - can become severe when applied to user controlled values such as content - stored in a :class:`~django.db.models.TextField`. You can use - :tfilter:`truncatechars` to add a limit to such inputs: - - .. code-block:: html+django - - {{ value|truncatechars:500|urlize }} - .. templatefilter:: urlizetrunc ``urlizetrunc``