========================== Django 4.0.2 release notes ========================== *February 1, 2022* Django 4.0.2 fixes two security issues with severity "medium" and several bugs in 4.0.1. Also, the latest string translations from Transifex are incorporated, with a special mention for Bulgarian (fully translated). CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag ============================================================= The ``{% debug %}`` template tag didn't properly encode the current context, posing an XSS attack vector. In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an information when the ``DEBUG`` setting is ``False``, and it ensures all context variables are correctly escaped when the ``DEBUG`` setting is ``True``. CVE-2022-23833: Denial-of-service possibility in file uploads ============================================================= Passing certain inputs to multipart forms could result in an infinite loop when parsing files. Bugfixes ======== * Fixed a bug in Django 4.0 where ``TestCase.captureOnCommitCallbacks()`` could execute callbacks multiple times (:ticket:`33410`). * Fixed a regression in Django 4.0 where ``help_text`` was HTML-escaped in automatically-generated forms (:ticket:`33419`). * Fixed a regression in Django 4.0 that caused displaying an incorrect name for class-based views on the technical 404 debug page (:ticket:`33425`). * Fixed a regression in Django 4.0 that caused an incorrect ``repr`` of ``ResolverMatch`` for class-based views (:ticket:`33426`). * Fixed a regression in Django 4.0 that caused a crash of ``makemigrations`` on models without ``Meta.order_with_respect_to`` but with a field named ``_order`` (:ticket:`33449`). * Fixed a regression in Django 4.0 that caused incorrect :attr:`.ModelAdmin.radio_fields` layout in the admin (:ticket:`33407`). * Fixed a duplicate operation regression in Django 4.0 that caused a migration crash when altering a primary key type for a concrete parent model referenced by a foreign key (:ticket:`33462`). * Fixed a bug in Django 4.0 that caused a crash of ``QuerySet.aggregate()`` after ``annotate()`` on an aggregate function with a :ref:`default ` (:ticket:`33468`). * Fixed a regression in Django 4.0 that caused a crash of ``makemigrations`` when renaming a field of a renamed model (:ticket:`33480`).