2019-05-27 15:37:10 +08:00
|
|
|
============================
|
|
|
|
Django 1.11.21 release notes
|
|
|
|
============================
|
|
|
|
|
|
|
|
*June 3, 2019*
|
|
|
|
|
2019-05-23 18:06:34 +08:00
|
|
|
Django 1.11.21 fixes a security issue in 1.11.20.
|
|
|
|
|
|
|
|
CVE-2019-12308: AdminURLFieldWidget XSS
|
|
|
|
---------------------------------------
|
|
|
|
|
|
|
|
The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed
|
|
|
|
the provided value without validating it as a safe URL. Thus, an unvalidated
|
|
|
|
value stored in the database, or a value provided as a URL query parameter
|
|
|
|
payload, could result in an clickable JavaScript link.
|
|
|
|
|
|
|
|
``AdminURLFieldWidget`` now validates the provided value using
|
|
|
|
:class:`~django.core.validators.URLValidator` before displaying the clickable
|
|
|
|
link. You may customise the validator by passing a ``validator_class`` kwarg to
|
|
|
|
``AdminURLFieldWidget.__init__()``, e.g. when using
|
|
|
|
:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
|