django-security-patterns-v1Certifiedv1.0.0

Django security patterns

Always-on secure coding patterns for Django (safe; no dependency edits).

Protects against

Rule body

# Django security patterns

Safe, always-on code patterns that reduce security risk without changing your dependency graph.

These rules use ONLY pattern-level verbs (ALWAYS/NEVER). They MUST NOT prescribe dependency upgrades.

### CVE-2024-53907 — safe patterns

- NEVER pass untrusted or user-supplied HTML directly to strip_tags() without size limits.
- ALWAYS validate and truncate input length before processing with strip_tags().
- NEVER rely on strip_tags() as your primary sanitization for user input without pre-validation.

### CVE-2024-45230 — safe patterns

- NEVER pass untrusted user input directly to urlize() without prior escaping.
- ALWAYS escape the output of urlize() before inserting it into HTML templates.
- NEVER rely on urlize() alone to sanitize HTML when processing user-generated content.

### CVE-2024-38875 — safe patterns

- NEVER rely solely on URLValidator regex patterns to validate untrusted user-supplied URLs.
- ALWAYS implement request timeouts for URL validation operations on external input.
- ALWAYS limit URL length before validation to constrain regex evaluation scope.