@@ -168,6 +168,32 @@ Django contains many private and undocumented functions that are not part of
168168its public API. If a vulnerability depends on directly calling these internal
169169functions in an unsafe way, it will not be considered a valid security issue.
170170
171+ Content displayed by the Django Template Language must be under 100 KB
172+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
173+
174+ The Django Template Language (DTL) is designed for building the content needed
175+ to display web pages. In particular its text filters are meant for that kind of
176+ usage.
177+
178+ For reference, the complete works of Shakespeare have about 3.5 million bytes
179+ in plain-text ASCII encoding. Displaying such in a single request is beyond the
180+ scope of almost all websites, and so outside the scope of the DTL too.
181+
182+ Text processing is expensive. Django makes no guarantee that DTL text filters
183+ are never subject to degraded performance if passed deliberately crafted,
184+ sufficiently large inputs. Under default configurations, Django makes it
185+ difficult for sites to accidentally accept such payloads from untrusted
186+ sources, but, if it is necessary to display large amounts of user-provided
187+ content, it’s important that basic security measures are taken.
188+
189+ User-provided content should always be constrained to known maximum length. It
190+ should be filtered to remove malicious content, and validated to match expected
191+ formats. It should then be processed offline, if necessary, before being
192+ displayed.
193+
194+ Proof of concepts which use over 100 KB of data to be processed by the DTL will
195+ be considered invalid.
196+
171197.. _security-report-evaluation:
172198
173199How does Django evaluate a report
0 commit comments