[2.0.x] Forwardported 1.11.21 release notes.

2019-05-27 09:37:10 +02:00 · 2019-05-27 09:37:10 +02:00 · 022c205f51
parent 862ef796af
commit 022c205f51
2 changed files with 22 additions and 0 deletions
--- a/docs/releases/1.11.21.txt
+++ b/docs/releases/1.11.21.txt
@ -0,0 +1,21 @@
+============================
+Django 1.11.21 release notes
+============================
+
+*June 3, 2019*
+
+Django 1.11.21 fixes a security issue in 1.11.20.
+
+CVE-2019-12308: AdminURLFieldWidget XSS
+---------------------------------------
+
+The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed
+the provided value without validating it as a safe URL. Thus, an unvalidated
+value stored in the database, or a value provided as a URL query parameter
+payload, could result in an clickable JavaScript link.
+
+``AdminURLFieldWidget`` now validates the provided value using
+:class:`~django.core.validators.URLValidator` before displaying the clickable
+link. You may customise the validator by passing a ``validator_class`` kwarg to
+``AdminURLFieldWidget.__init__()``, e.g. when using
+:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@ -45,6 +45,7 @@ versions of the documentation contain the release notes for any later releases.
 .. toctree::
   :maxdepth: 1

+   1.11.21
   1.11.20
   1.11.19
   1.11.18