django.git/django/core/serializers/xml_serializer.py, branch maindjango
http://cgit.adnoto.dev/django.git/atom?h=main2026-04-19T10:38:12ZAdded support for nested fields to XML deserializer.2026-04-19T10:38:12ZTim Grahamtimograham@gmail.com2026-04-04T23:16:41Zurn:sha1:3af5cb17b83eaaea6d4def494269694c009d89c5
Needed by Django MongoDB Backend's EmbeddedModelField.
Fixed #37023 -- Made XML serializer put each ManyToManyField object on its own line.2026-04-06T17:04:33ZTim Grahamtimograham@gmail.com2026-04-04T22:02:17Zurn:sha1:33bfc66add643f49d466c5a646989ad91677753dRefs #37023 -- Removed hardcoded indent levels from XML serializer.2026-04-06T17:04:33ZTim Grahamtimograham@gmail.com2026-04-04T21:58:05Zurn:sha1:eb244b011716d62b22dbca45f0a621a6192cad67
This facilitates nested fields and objects.
Fixed #36750 -- Made ordering of M2M objects deterministic in serializers.2026-02-26T12:46:35ZVIZZARD-Xvigneshanandmay13@gmail.com2025-12-27T08:24:14Zurn:sha1:e6108b7388775f4996a5906e0525fbdd40d2df51
Co-authored-by: Simon Charette <charette.s@gmail.com>
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Refs #36769 -- Raised SuspiciousOperation for unexpected nested tags in XML Deserializer.2026-01-12T21:38:32ZJacob Wallsjacobtylerwalls@gmail.com2026-01-07T21:23:48Zurn:sha1:73c5e94521c5b97e27cd2fe2d5b5c2e65f402755
Thanks Shai Berger and Natalia Bidart for reviews.
Refs #36769 -- Avoided visiting grandchild nodes in XML Deserializer.2026-01-12T21:38:32ZJacob Wallsjacobtylerwalls@gmail.com2026-01-07T21:23:32Zurn:sha1:a25158f5cc590f3dff4226c3a48257481e6e67a6
The only use case for visiting grandchild nodes turned out to be to
support an unintentionally invalid fixture in the test suite.
The invalid fixture added in #36969 was modeled on fixture9.xml in
dae08cf55b83caef5e8ee39b16417692e8565278, so that is corrected as well
in this commit, where the test will still pass.
Fixed #36786 -- Fixed XML serialization of None values in natural keys.2025-12-22T19:21:01ZYoungkwang Yangme@youngkwang.dev2025-12-18T04:49:13Zurn:sha1:95394443bff2cd6c5cb47c752422fe1f391bb43d
None values in natural keys were incorrectly serialized as the string
"None", causing deserialization to fail for fields like UUIDField.
Fixed #36769 -- Avoided visiting deeply nested nodes in XML deserializer.2025-12-11T17:38:04ZPravin Kambleiampbkamble@gmail.com2025-12-09T06:27:52Zurn:sha1:dae08cf55b83caef5e8ee39b16417692e8565278
Only children at one level of depth need to be visited.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Fixed #35729 -- Enabled natural key serialization opt-out for subclasses.2025-12-03T20:04:52Zrimi0108hyerimc858@gmail.com2025-10-04T04:52:59Zurn:sha1:93540b34d4ef46f68df2c8bfe90447d0f649a852
Refactored serialization logic to allow models inheriting a natural_key()
method (e.g. AbstractBaseUser) to explicitly opt out of natural key
serialization by returning an empty tuple from the method.
Thanks Jonas Dittrich for the report.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Fixed CVE-2025-64460 -- Corrected quadratic inner text accumulation in XML serializer.2025-12-02T12:21:07ZShai Bergershai@platonix.com2025-10-11T18:42:56Zurn:sha1:50efb718b31333051bc2dcb06911b8fa1358c98c
Previously, `getInnerText()` recursively used `list.extend()` on strings,
which added each character from child nodes as a separate list element.
On deeply nested XML content, this caused the overall deserialization
work to grow quadratically with input size, potentially allowing
disproportionate CPU consumption for crafted XML.
The fix separates collection of inner texts from joining them, so that
each subtree is joined only once, reducing the complexity to linear in
the size of the input. These changes also include a mitigation for a
xml.dom.minidom performance issue.
Thanks Seokchan Yoon (https://ch4n3.kr/) for report.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>