summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/internals/deprecation.txt3
-rw-r--r--docs/ref/templates/builtins.txt3
-rw-r--r--docs/releases/1.7.txt13
3 files changed, 19 insertions, 0 deletions
diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt
index f64cc53d25..36bc2ee533 100644
--- a/docs/internals/deprecation.txt
+++ b/docs/internals/deprecation.txt
@@ -209,6 +209,9 @@ details on these changes.
(``django.contrib.gis.sitemaps.views.index`` and
``django.contrib.gis.sitemaps.views.sitemap``).
+* ``django.utils.html.fix_ampersands``, the ``fix_ampersands`` template filter and
+ ``django.utils.html.clean_html`` will be removed following an accelerated deprecation.
+
.. _deprecation-removed-in-1.7:
1.7
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
index a5d4c7c26e..bb02187727 100644
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -1582,6 +1582,9 @@ fix_ampersands
This is rarely useful as ampersands are automatically escaped. See
:tfilter:`escape` for more information.
+.. deprecated:: 1.7
+ This filter has been deprecated and will be removed in Django 1.8.
+
Replaces ampersands with ``&`` entities.
For example::
diff --git a/docs/releases/1.7.txt b/docs/releases/1.7.txt
index 98b336f630..882fa69dee 100644
--- a/docs/releases/1.7.txt
+++ b/docs/releases/1.7.txt
@@ -1406,3 +1406,16 @@ strings, you should use ``django.utils.html.escapejs`` or the
:tfilter:`escapejs` template filter.
If all you need is to generate valid javascript strings, you can simply use
``json.dumps()``.
+
+``fix_ampersands`` utils method and template filter
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``django.utils.html.fix_ampersands`` method and the :tfilter:`fix_ampersands`
+template filter are deprecated, as the escaping of ampersands is already taken care
+of by Django's standard HTML escaping features. Combining this with ``fix_ampersands``
+would either result in double escaping, or, if the output is assumed to be safe,
+a risk of introducing XSS vulnerabilities. Along with ``fix_ampersands``,
+``django.utils.html.clean_html`` is deprecated, an undocumented function that calls
+``fix_ampersands``.
+As this is an accelerated deprecation, ``fix_ampersands`` and ``clean_html``
+will be removed in Django 1.8.