diff options
| author | Baptiste Mispelon <bmispelon@gmail.com> | 2015-03-08 11:50:32 +0100 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-03-09 10:12:21 -0400 |
| commit | 82c9169077a066995e3b00aac551bf1c8a89d98a (patch) | |
| tree | 831f6031f14cb56609eafa6e29b28919d4be787d /docs | |
| parent | 300fdbbebba45cb4e7f32edc524171019d9bce80 (diff) | |
Refs #24461 -- Added test/release notes for XSS issue in ModelAdmin.readonly_fields
This issue was fixed by refs #24464.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.7.6.txt | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/docs/releases/1.7.6.txt b/docs/releases/1.7.6.txt index af0907816d..7f54da1474 100644 --- a/docs/releases/1.7.6.txt +++ b/docs/releases/1.7.6.txt @@ -2,9 +2,23 @@ Django 1.7.6 release notes ========================== -*Under Development* +*March 9, 2015* -Django 1.7.6 fixes several bugs in 1.7.5. +Django 1.7.6 fixes a security issue and several bugs in 1.7.5. + +Mitigated an XSS attack via properties in ``ModelAdmin.readonly_fields`` +======================================================================== + +The :attr:`ModelAdmin.readonly_fields +<django.contrib.admin.ModelAdmin.readonly_fields>` attribute in the Django +admin allows displaying model fields and model attributes. While the former +were correctly escaped, the latter were not. Thus untrusted content could be +injected into the admin, presenting an exploitation vector for XSS attacks. + +In this vulnerability, every model attribute used in ``readonly_fields`` that +is not an actual model field (e.g. a :class:`property`) will **fail to be +escaped** even if that attribute is not marked as safe. In this release, +autoescaping is now correctly applied. Bugfixes ======== |
