Natalia
9a720d5c50
[5.2.x] Fixed #36499 -- Adjusted utils_tests.test_html.TestUtilsHtml.test_strip_tags following Python's HTMLParser new behavior.
...
Python fixed a quadratic complexity processing for HTMLParser in:
https://github.com/python/cpython/commit/6eb6c5db .
Backport of 2980627502
2025-08-13 17:48:37 -03:00
Sarah Boyce
c9731dc656
[5.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().
...
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake
Howard for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com >
Backport of 9f3419b519
2025-05-06 22:24:24 -03:00
Mike Edmunds
698d05c11c
[5.2.x] Fixed #36013 -- Removed use of IDNA-2003 in django.utils.html.
...
Removed obsolete and potentially problematic IDNA 2003 ("punycode")
encoding of international domain names in smart_urlquote() and Urlizer,
which are used (only) by AdminURLFieldWidget and the urlize/urlizetrunc
template filters. Changed to use percent-encoded UTF-8, which defers
IDNA details to the browser (like other URLs rendered by Django).
Backport of 29ba75e6e5
2025-01-23 10:40:58 +01:00
greg
dab04b89af
[5.2.x] Fixed #36017 -- Used EmailValidator in urlize to detect emails.
...
Backport of 61dae11df5
2025-01-20 14:04:35 +01:00
Mike Edmunds
322e49ba30
Fixed #36012 -- Made mailto punctuation percent-encoded in Urlizer.
...
Urlizer was not properly encoding email addresses containing punctuation
in generated mailto links. Per RFC 6068, fixed by percent encoding
(urllib.parse.quote) the local and domain address parts.
2024-12-17 10:18:48 +01:00
Sarah Boyce
49ff1042aa
Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags().
...
Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart
for the reviews.
2024-12-04 13:43:13 +01:00
Sarah Boyce
320dd27412
Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
...
Thanks MProgrammer (https://hackerone.com/mprogrammer ) for the report.
2024-09-03 09:22:32 -03:00
Adam Johnson
2b71b2c8dc
Refs #34609 -- Fixed deprecation warning stack level in format_html().
...
Co-authored-by: Simon Charette <charette.s@gmail.com >
2024-08-27 15:14:50 -03:00
nabil-rady
231c0d8593
Fixed #35668 -- Added mapping support to format_html_join.
2024-08-20 08:20:34 +02:00
Mariusz Felisiak
5f1757142f
Fixed CVE-2024-41991 -- Prevented potential ReDoS in django.utils.html.urlize() and AdminURLFieldWidget.
...
Thanks Seokchan Yoon for the report.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com >
2024-08-06 08:50:08 +02:00
Sarah Boyce
ecf1f8fb90
Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
...
Thanks to MProgrammer for the report.
2024-08-06 08:50:08 +02:00
Adam Johnson
d666457453
Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
...
Thank you to Elias Myllymäki for the report.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com >
2024-07-09 09:21:19 -03:00
devilsautumn
094b0bea2c
Fixed #34609 -- Deprecated calling format_html() without arguments.
2023-06-06 14:14:57 +02:00
Hrushikesh Vaidya
72e41a0df6
Fixed #33779 -- Allowed customizing encoder class in django.utils.html.json_script().
2022-06-28 10:54:38 +02:00
Adam Johnson
a45f28f0ec
Rewrote strip_tags test file to lorem ipsum.
2022-03-08 14:50:06 +01:00
Mariusz Felisiak
7119f40c98
Refs #33476 -- Refactored code to strictly match 88 characters line length.
2022-02-07 20:37:05 +01:00
django-bot
9c19aff7c7
Refs #33476 -- Reformatted code with Black.
2022-02-07 20:37:05 +01:00
Baptiste Mispelon
e6e664a711
Fixed #33302 -- Made element_id optional argument for json_script template filter.
...
Added versionchanged note in documentation
2021-11-22 11:52:19 +01:00
Shipeng Feng
68cc04887b
Fixed #32866 -- Fixed trimming trailing punctuation from escaped string in urlize().
2021-07-07 11:19:33 +02:00
Florian Apolloner
4b78420d25
Fixed CVE-2019-14233 -- Prevented excessive HTMLParser recursion in strip_tags() when handling incomplete HTML entities.
...
Thanks to Guido Vranken for initial report.
2019-08-01 09:24:54 +02:00
Jon Dufresne
8d76443aba
Fixed #30399 -- Changed django.utils.html.escape()/urlize() to use html.escape()/unescape().
2019-04-25 15:09:07 +02:00
Jon Dufresne
7e3bf2662b
Removed default mode='r' argument from calls to open().
2019-01-27 17:41:43 -05:00
Srinivas Thatiparthy (శ్రీనివాస్ తాటిపర్తి)
a7ef4a56e0
Fixed #29920 -- Added a test for smart_urlquote()'s UnicodeError branch.
2018-11-09 12:39:08 -05:00
Jon Dufresne
82f286cf6f
Refs #29784 -- Switched to https:// links where available.
2018-09-26 08:48:47 +02:00
Tim Graham
911af0d24b
Added more tests for django.utils.html.urlize().
2018-03-06 08:30:41 -05:00
Tim Graham
8618271caa
Fixed CVE-2018-7536 -- Fixed catastrophic backtracking in urlize and urlizetrunc template filters.
...
Thanks Florian Apolloner for assisting with the patch.
2018-03-06 08:30:40 -05:00
Tim Graham
b832de869e
Added tests for utils.html.urlize() (lazy string inputs were untested).
2018-02-10 15:45:57 -05:00
Jonas Haag
8c709d79cb
Fixed #17419 -- Added json_tag template filter.
2018-02-07 18:38:12 -05:00
Jon Dufresne
ff05de760c
Fixed #29038 -- Removed closing slash from HTML void tags.
2018-01-21 02:09:10 -05:00
Tim Graham
6ae1b04fb5
Fixed #27900 -- Made escapejs escape backticks for use in ES6 template literals.
2017-03-04 09:04:16 -05:00
Claude Paroz
a21ec12409
Fixed #27803 -- Kept safe status of lazy safe strings in conditional_escape
2017-02-02 21:01:39 +01:00
Tim Graham
f8d52521ab
Refs #27804 -- Used subTest() in tests.utils_tests.test_html.
2017-02-02 08:17:00 -05:00
Tim Graham
2af8cd22a9
Imported specific functions in tests.utils_tests.test_html.
2017-02-02 07:23:10 -05:00
Claude Paroz
2366100872
Removed unneeded force_text calls in the test suite
2017-01-24 18:45:54 +01:00
Tim Graham
4e729feaa6
Refs #23919 -- Removed django.utils._os.upath()/npath()/abspathu() usage.
...
These functions do nothing on Python 3.
2017-01-20 08:01:02 -05:00
Simon Charette
cecc079168
Refs #23919 -- Stopped inheriting from object to define new style classes.
2017-01-19 08:39:46 +01:00
Claude Paroz
c716fe8782
Refs #23919 -- Removed six.PY2/PY3 usage
...
Thanks Tim Graham for the review.
2017-01-18 16:21:28 +01:00
Claude Paroz
d7b9aaa366
Refs #23919 -- Removed encoding preambles and future imports
2017-01-18 09:55:19 +01:00
za
321e94fa41
Refs #27392 -- Removed "Tests that", "Ensures that", etc. from test docstrings.
2016-11-10 21:30:21 -05:00
Iacopo Spalletti
d693074d43
Fixed #20223 -- Added keep_lazy() as a replacement for allow_lazy().
...
Thanks to bmispelon and uruz for the initial patch.
2015-12-12 14:46:48 -05:00
Tim Graham
222d063301
Refs #23269 -- Removed the removetags template tag and related functions per deprecation timeline.
2015-09-23 19:31:09 -04:00
Dražen Odobašić
b1e33ceced
Fixed #23395 -- Limited line lengths to 119 characters.
2015-09-12 11:40:50 -04:00
Tim Graham
aaacaeb096
Renamed RemovedInDjangoXYWarnings for new roadmap.
...
Forwardport of ae1d663b79
2015-06-24 16:08:20 -04:00
Moritz Sichert
1f2abf784a
Fixed #24469 -- Refined escaping of Django's form elements in non-Django templates.
2015-03-27 19:46:20 -04:00
Tim Graham
1c83fc88d6
Fixed an infinite loop possibility in strip_tags().
...
This is a security fix; disclosure to follow shortly.
2015-03-18 19:20:07 -04:00
Tim Graham
0ed7d15563
Sorted imports with isort; refs #23860 .
2015-02-06 08:16:28 -05:00
Claude Paroz
51890ce889
Applied ignore_warnings to Django tests
2014-12-30 18:16:25 +01:00
Berker Peksag
560b4207b1
Removed redundant numbered parameters from str.format().
...
Since Python 2.7 and 3.1, "{0} {1}" is equivalent to "{} {}".
2014-12-03 14:27:38 -05:00
Claude Paroz
b9d9287f59
Fixed urlize after smart_urlquote rewrite
...
Refs #22267 .
2014-09-09 21:59:35 +02:00
Claude Paroz
4b8a1d2c0d
Fixed #22267 -- Fixed unquote/quote in smart_urlquote
...
Thanks Md. Enzam Hossain for the report and initial patch, and
Tim Graham for the review.
2014-09-09 21:58:07 +02:00
