summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorBaptiste Mispelon <bmispelon@gmail.com>2015-03-08 11:50:32 +0100
committerTim Graham <timograham@gmail.com>2015-03-09 10:17:54 -0400
commit2654e1b93923bac55f12b4e66c5e39b16695ace5 (patch)
tree339c5e65ac69a07dd58bee6e4831a23bc87e7500 /docs
parent5a3b53112193cc74d2043e09894dd29a763b1105 (diff)
[1.7.x] Fixed #24461 -- Fixed XSS issue in ModelAdmin.readonly_fields
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.7.6.txt18
1 files changed, 16 insertions, 2 deletions
diff --git a/docs/releases/1.7.6.txt b/docs/releases/1.7.6.txt
index af0907816d..7f54da1474 100644
--- a/docs/releases/1.7.6.txt
+++ b/docs/releases/1.7.6.txt
@@ -2,9 +2,23 @@
Django 1.7.6 release notes
==========================
-*Under Development*
+*March 9, 2015*
-Django 1.7.6 fixes several bugs in 1.7.5.
+Django 1.7.6 fixes a security issue and several bugs in 1.7.5.
+
+Mitigated an XSS attack via properties in ``ModelAdmin.readonly_fields``
+========================================================================
+
+The :attr:`ModelAdmin.readonly_fields
+<django.contrib.admin.ModelAdmin.readonly_fields>` attribute in the Django
+admin allows displaying model fields and model attributes. While the former
+were correctly escaped, the latter were not. Thus untrusted content could be
+injected into the admin, presenting an exploitation vector for XSS attacks.
+
+In this vulnerability, every model attribute used in ``readonly_fields`` that
+is not an actual model field (e.g. a :class:`property`) will **fail to be
+escaped** even if that attribute is not marked as safe. In this release,
+autoescaping is now correctly applied.
Bugfixes
========