django1/docs/releases/1.10.8.txt

===========================
Django 1.10.8 release notes
===========================

*September 5, 2017*

Django 1.10.8 fixes a security issue in 1.10.7.

CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page
=============================================================================

In older versions, HTML autoescaping was disabled in a portion of the template
for the technical 500 debug page. Given the right circumstances, this allowed
a cross-site scripting attack. This vulnerability shouldn't affect most
production sites since you shouldn't run with ``DEBUG = True`` (which makes
this page accessible) in your production settings.
Added stub release notes for security releases. 2017-08-10 07:49:32 +08:00			`===========================`
			`Django 1.10.8 release notes`
			`===========================`

			`September 5, 2017`

			`Django 1.10.8 fixes a security issue in 1.10.7.`
Fixed CVE-2017-12794 -- Fixed XSS possibility in traceback section of technical 500 debug page. This is a security fix. 2017-08-10 09:12:37 +08:00
			`CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page`
			`=============================================================================`

			`In older versions, HTML autoescaping was disabled in a portion of the template`
			`for the technical 500 debug page. Given the right circumstances, this allowed`
			`a cross-site scripting attack. This vulnerability shouldn't affect most`
			production sites since you shouldn't run with ``DEBUG = True`` (which makes
			`this page accessible) in your production settings.`