[1.5.x] Update 1.5 release notes for XML and formset fixes.

This commit is contained in:
Carl Meyer 2013-02-12 16:02:05 -07:00
parent 3ef4bbf495
commit 84ce990c07
1 changed files with 19 additions and 0 deletions

View File

@ -628,6 +628,25 @@ your routers allow synchronizing content types and permissions to only one of
them. See the docs on the :ref:`behavior of contrib apps with multiple
databases <contrib_app_multiple_databases>` for more information.
XML deserializer will not parse documents with a DTD
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In order to prevent exposure to denial-of-service attacks related to external
entity references and entity expansion, the XML model deserializer now refuses
to parse XML documents containing a DTD (DOCTYPE definition). Since the XML
serializer does not output a DTD, this will not impact typical usage, only
cases where custom-created XML documents are passed to Django's model
deserializer.
Formsets default ``max_num``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A (default) value of ``None`` for the ``max_num`` argument to a formset factory
no longer defaults to allowing any number of forms in the formset. Instead, in
order to prevent memory-exhaustion attacks, it now defaults to a limit of 1000
forms. This limit can be raised by explicitly setting a higher value for
``max_num``.
Miscellaneous
~~~~~~~~~~~~~