id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36769	Limit recursive extraction of field values in XML deserializer	Jacob Walls	Pravin	"While investigating [https://docs.djangoproject.com/en/5.2/releases/security/#december-2-2025-cve-2025-64460 CVE-2025-64460] (mitigated in 50efb718b31333051bc2dcb06911b8fa1358c98c), we noticed that the private helper `getInnerText` supports extracting [https://github.com/django/django/blob/93540b34d4ef46f68df2c8bfe90447d0f649a852/django/core/serializers/xml_serializer.py#L418 arbitrarily nested text], however its only use in Django is to extract text at most one level deep, under a `<natural>` tag, like this [https://github.com/django/django/blob/5625bd590766e5ca8c2c76ba2307b98f7450ff83/tests/fixtures/fixtures/fixture9.xml#L22 fixture example].

We opted not to change this semantic in a patch release, but it occurred to me that we could only extract text at the exact expected depth (e.g. 0 if under `<field>` and 1 if under `<field><natural>`) and completely sidestep potential performance issues from invalid input making use of nested elements, see recent [https://www.cve.org/CVERecord?id=CVE-2025-12084 python CVE-2025-12084] we also mitigated yesterday.

I would appreciate any arguments I might be missing, for example, if there are legitimate use cases for ingesting text from nested tags e.g. from unescaped markup that this proposal would break."	Cleanup/optimization	closed	Core (Serialization)	dev	Normal	fixed	xml deserializer	Pravin Shai Berger	Ready for checkin	0	0	0	0	0	0