summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.7.6.txt18
1 files changed, 16 insertions, 2 deletions
diff --git a/docs/releases/1.7.6.txt b/docs/releases/1.7.6.txt
index af0907816d..7f54da1474 100644
--- a/docs/releases/1.7.6.txt
+++ b/docs/releases/1.7.6.txt
@@ -2,9 +2,23 @@
Django 1.7.6 release notes
==========================
-*Under Development*
+*March 9, 2015*
-Django 1.7.6 fixes several bugs in 1.7.5.
+Django 1.7.6 fixes a security issue and several bugs in 1.7.5.
+
+Mitigated an XSS attack via properties in ``ModelAdmin.readonly_fields``
+========================================================================
+
+The :attr:`ModelAdmin.readonly_fields
+<django.contrib.admin.ModelAdmin.readonly_fields>` attribute in the Django
+admin allows displaying model fields and model attributes. While the former
+were correctly escaped, the latter were not. Thus untrusted content could be
+injected into the admin, presenting an exploitation vector for XSS attacks.
+
+In this vulnerability, every model attribute used in ``readonly_fields`` that
+is not an actual model field (e.g. a :class:`property`) will **fail to be
+escaped** even if that attribute is not marked as safe. In this release,
+autoescaping is now correctly applied.
Bugfixes
========