diff options
| author | Aymeric Augustin <aymeric.augustin@m4x.org> | 2012-01-07 21:47:38 +0000 |
|---|---|---|
| committer | Aymeric Augustin <aymeric.augustin@m4x.org> | 2012-01-07 21:47:38 +0000 |
| commit | c51c9b3ce61239ec2a11df56baf24106738bb44a (patch) | |
| tree | 76f364d36c527619d976be22e701892844f8af36 /docs | |
| parent | cd4686304344529538470481ddd452d2534650ae (diff) | |
Moved two paragraphs from "deprecated features" to "backwards-incompatible changes", where they belong.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17354 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.4.txt | 32 |
1 files changed, 16 insertions, 16 deletions
diff --git a/docs/releases/1.4.txt b/docs/releases/1.4.txt index d4c723fea5..ea3e9a7fc9 100644 --- a/docs/releases/1.4.txt +++ b/docs/releases/1.4.txt @@ -920,6 +920,22 @@ whose primary use is to load fixtures consisting of simple objects. Even though fixtures are trusted data, the YAML deserializer now uses ``yaml.safe_load`` for additional security. +Session cookies now have the ``httponly`` flag by default +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Session cookies now include the ``httponly`` attribute by default to +help reduce the impact of potential XSS attacks. For strict backwards +compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file. + +The :tfilter:`urlize` filter no longer escapes every URL +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When an URL contains a ``%xx`` sequence, where ``xx`` are two hexadecimal +digits, :tfilter:`urlize` assumes that the URL is already escaped, and doesn't +apply URL escaping again. This is wrong for URLs whose unquoted form contains +a ``%xx`` sequence, but such URLs are very unlikely to happen in the wild, +since they would confuse browsers too. + Features deprecated in 1.4 ========================== @@ -1053,22 +1069,6 @@ Now, the flags are keyword arguments of :meth:`@register.filter See :ref:`filters and auto-escaping <filters-auto-escaping>` for more information. -The :tfilter:`urlize` filter no longer escapes every URL -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -When an URL contains a ``%xx`` sequence, where ``xx`` are two hexadecimal -digits, :tfilter:`urlize` assumes that the URL is already escaped, and doesn't -apply URL escaping again. This is wrong for URLs whose unquoted form contains -a ``%xx`` sequence, but such URLs are very unlikely to happen in the wild, -since they would confuse browsers too. - -Session cookies now have the ``httponly`` flag by default -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Session cookies now include the ``httponly`` attribute by default to -help reduce the impact of potential XSS attacks. For strict backwards -compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file. - Wildcard expansion of application names in `INSTALLED_APPS` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
