Moved two paragraphs from "deprecated features" to "backwards-incompatible changes", where they belong.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17354 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Aymeric Augustin 2012-01-07 21:47:38 +00:00
parent cd46863043
commit c51c9b3ce6
1 changed files with 16 additions and 16 deletions

View File

@ -920,6 +920,22 @@ whose primary use is to load fixtures consisting of simple objects. Even though
fixtures are trusted data, the YAML deserializer now uses ``yaml.safe_load`` fixtures are trusted data, the YAML deserializer now uses ``yaml.safe_load``
for additional security. for additional security.
Session cookies now have the ``httponly`` flag by default
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Session cookies now include the ``httponly`` attribute by default to
help reduce the impact of potential XSS attacks. For strict backwards
compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file.
The :tfilter:`urlize` filter no longer escapes every URL
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When an URL contains a ``%xx`` sequence, where ``xx`` are two hexadecimal
digits, :tfilter:`urlize` assumes that the URL is already escaped, and doesn't
apply URL escaping again. This is wrong for URLs whose unquoted form contains
a ``%xx`` sequence, but such URLs are very unlikely to happen in the wild,
since they would confuse browsers too.
Features deprecated in 1.4 Features deprecated in 1.4
========================== ==========================
@ -1053,22 +1069,6 @@ Now, the flags are keyword arguments of :meth:`@register.filter
See :ref:`filters and auto-escaping <filters-auto-escaping>` for more information. See :ref:`filters and auto-escaping <filters-auto-escaping>` for more information.
The :tfilter:`urlize` filter no longer escapes every URL
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When an URL contains a ``%xx`` sequence, where ``xx`` are two hexadecimal
digits, :tfilter:`urlize` assumes that the URL is already escaped, and doesn't
apply URL escaping again. This is wrong for URLs whose unquoted form contains
a ``%xx`` sequence, but such URLs are very unlikely to happen in the wild,
since they would confuse browsers too.
Session cookies now have the ``httponly`` flag by default
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Session cookies now include the ``httponly`` attribute by default to
help reduce the impact of potential XSS attacks. For strict backwards
compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file.
Wildcard expansion of application names in `INSTALLED_APPS` Wildcard expansion of application names in `INSTALLED_APPS`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~