django.git/django/forms/fields.py, branch main django http://cgit.adnoto.dev/django.git/atom?h=main 2026-04-29T18:52:25Z Fixed #16429 -- Extracted set_choices() method from FilePathField.__init__(). 2026-04-29T18:52:25Z TildaDares mathildaudufo@gmail.com 2026-03-29T21:02:10Z urn:sha1:3f912ee4189602b4df121c0dc0428673fda5c253 Fixed #35870 -- Made blank choice label in forms more accessible. 2026-04-22T21:06:29Z Annabelle Wiegart annabelle.wiegart@proton.me 2026-01-18T19:03:28Z urn:sha1:63c56cda133a85a158502891c40465bc0331d3d9 Added new constant django.db.models.fields.BLANK_CHOICE_LABEL for an accessible and translatable blank choice label in forms. Deprecated django.db.models.fields.BLANK_CHOICE_DASH constant. Added the immediately deprecated transitional setting USE_BLANK_CHOICE_DASH. Co-Authored-By: Marijke Luttekes <mail@marijkeluttekes.dev> Refs #36913 -- Maintained error message determinism in MultipleChoiceField.validate(). 2026-03-26T19:21:00Z afenoum anja1catus@gmail.com 2026-03-26T08:30:02Z urn:sha1:8b7ea2bcdd7297941ca6beb72d93b9568e187349 Used Django's OrderedSet datastructure instead of set() in MultipleChoiceField.validate() to prevent submission ordering from being discarded during validation. Thanks to Jacob Walls, JaeHyuck Sa, Jake Howard and Simon Charette for the reviews. Fixed #36913 -- Optimized MultipleChoiceField.validate(). 2026-03-25T13:23:10Z afenoum anja1catus@gmail.com 2026-03-15T11:18:59Z urn:sha1:26f8929f16c514bd9967cd78d8dcd7760b82cc92 Fixed CVE-2026-25673 -- Simplified URLField scheme detection. 2026-03-03T12:08:46Z Natalia 124304+nessita@users.noreply.github.com 2026-01-30T01:52:41Z urn:sha1:951ffb3832cd83ba672c1e3deae2bda128eb9cca This simplicaftion mitigates a potential DoS in URLField on Windows. The usage of `urlsplit()` in `URLField.to_python()` was replaced with `str.partition(":")` for URL scheme detection. On Windows, `urlsplit()` performs Unicode normalization which is slow for certain characters, making `URLField` vulnerable to DoS via specially crafted POST payloads. Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger for the review. Refs #36923. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Refs #36500 -- Corrected rewrapped long lines fixed via a script. 2025-07-23T23:17:55Z Mike Edmunds medmunds@gmail.com 2025-07-23T03:44:22Z urn:sha1:78298b51629e14c0e472898b635bc819d47b7f27 Manually reformatted some comments and docstrings where autofix_w505.py changed the meaning of the formatting. Refs #36500 -- Rewrapped long docstrings and block comments via a script. 2025-07-23T23:17:55Z django-bot ops@djangoproject.com 2025-07-23T03:41:41Z urn:sha1:69a93a88edb56ba47f624dac7a21aacc47ea474f Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505. Refs #34380 -- Changed the URLField default scheme to https and removed FORMS_URLFIELD_ASSUME_HTTPS per deprecation timeline. 2025-01-15T21:28:37Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2024-12-12T16:39:58Z urn:sha1:9a3f86e96009c1137b286f6d579b9d812a0dee69 Fixed #35521 -- Allowed overriding BoundField class on fields, forms and renderers. 2025-01-15T20:04:26Z Matthias Kestenholz mk@feinheit.ch 2025-01-15T20:04:26Z urn:sha1:6a7ee02f5994c65bbefe92a3da74f22326970cf9 Thank you Sarah Boyce, Carlton Gibson, Tim Schilling and Adam Johnson for reviews. Co-authored-by: Christophe Henry <contact@c-henry.fr> Co-authored-by: David Smith <smithdc@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Co-authored-by: Matthias Kestenholz <mk@feinheit.ch> Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation. 2025-01-14T11:42:24Z Michael Manfre mike@manfre.net 2024-12-12T02:39:32Z urn:sha1:ca2be7724e1244a4cb723de40a070f873c6e94bf Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz Felisiak for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>