[2.0.x] Forwardported 1.11.21 release notes.
This commit is contained in:
parent
862ef796af
commit
022c205f51
docs/releases
|
@ -0,0 +1,21 @@
|
||||||
|
============================
|
||||||
|
Django 1.11.21 release notes
|
||||||
|
============================
|
||||||
|
|
||||||
|
*June 3, 2019*
|
||||||
|
|
||||||
|
Django 1.11.21 fixes a security issue in 1.11.20.
|
||||||
|
|
||||||
|
CVE-2019-12308: AdminURLFieldWidget XSS
|
||||||
|
---------------------------------------
|
||||||
|
|
||||||
|
The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed
|
||||||
|
the provided value without validating it as a safe URL. Thus, an unvalidated
|
||||||
|
value stored in the database, or a value provided as a URL query parameter
|
||||||
|
payload, could result in an clickable JavaScript link.
|
||||||
|
|
||||||
|
``AdminURLFieldWidget`` now validates the provided value using
|
||||||
|
:class:`~django.core.validators.URLValidator` before displaying the clickable
|
||||||
|
link. You may customise the validator by passing a ``validator_class`` kwarg to
|
||||||
|
``AdminURLFieldWidget.__init__()``, e.g. when using
|
||||||
|
:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
|
|
@ -45,6 +45,7 @@ versions of the documentation contain the release notes for any later releases.
|
||||||
.. toctree::
|
.. toctree::
|
||||||
:maxdepth: 1
|
:maxdepth: 1
|
||||||
|
|
||||||
|
1.11.21
|
||||||
1.11.20
|
1.11.20
|
||||||
1.11.19
|
1.11.19
|
||||||
1.11.18
|
1.11.18
|
||||||
|
|
Loading…
Reference in New Issue