summaryrefslogtreecommitdiff
path: root/django/core/serializers/xml_serializer.py
AgeCommit message (Collapse)Author
2026-04-19Added support for nested fields to XML deserializer.Tim Graham
Needed by Django MongoDB Backend's EmbeddedModelField.
2026-04-06Fixed #37023 -- Made XML serializer put each ManyToManyField object on its ↵Tim Graham
own line.
2026-04-06Refs #37023 -- Removed hardcoded indent levels from XML serializer.Tim Graham
This facilitates nested fields and objects.
2026-02-26Fixed #36750 -- Made ordering of M2M objects deterministic in serializers.VIZZARD-X
Co-authored-by: Simon Charette <charette.s@gmail.com> Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2026-01-12Refs #36769 -- Raised SuspiciousOperation for unexpected nested tags in XML ↵Jacob Walls
Deserializer. Thanks Shai Berger and Natalia Bidart for reviews.
2026-01-12Refs #36769 -- Avoided visiting grandchild nodes in XML Deserializer.Jacob Walls
The only use case for visiting grandchild nodes turned out to be to support an unintentionally invalid fixture in the test suite. The invalid fixture added in #36969 was modeled on fixture9.xml in dae08cf55b83caef5e8ee39b16417692e8565278, so that is corrected as well in this commit, where the test will still pass.
2025-12-22Fixed #36786 -- Fixed XML serialization of None values in natural keys.Youngkwang Yang
None values in natural keys were incorrectly serialized as the string "None", causing deserialization to fail for fields like UUIDField.
2025-12-11Fixed #36769 -- Avoided visiting deeply nested nodes in XML deserializer.Pravin Kamble
Only children at one level of depth need to be visited. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2025-12-03Fixed #35729 -- Enabled natural key serialization opt-out for subclasses.rimi0108
Refactored serialization logic to allow models inheriting a natural_key() method (e.g. AbstractBaseUser) to explicitly opt out of natural key serialization by returning an empty tuple from the method. Thanks Jonas Dittrich for the report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2025-12-02Fixed CVE-2025-64460 -- Corrected quadratic inner text accumulation in XML ↵Shai Berger
serializer. Previously, `getInnerText()` recursively used `list.extend()` on strings, which added each character from child nodes as a separate list element. On deeply nested XML content, this caused the overall deserialization work to grow quadratically with input size, potentially allowing disproportionate CPU consumption for crafted XML. The fix separates collection of inner texts from joining them, so that each subtree is joined only once, reducing the complexity to linear in the size of the input. These changes also include a mitigation for a xml.dom.minidom performance issue. Thanks Seokchan Yoon (https://ch4n3.kr/) for report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-07-23Refs #36500 -- Rewrapped long docstrings and block comments via a script.django-bot
Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505.
2025-01-08Fixed #36062 -- Handled serialization of CompositePrimaryKeys.Sarah Boyce
2024-12-18Fixed #35996 -- Fixed database serialization crash when serializing a ↵Erica Pisani
many-to-many field that had a prefetch.
2024-02-20Fixed #35236 -- Used Field.attname/column attributes instead of ↵Adam Johnson
get_attname()/get_attname_column().
2024-01-26Applied Black's 2024 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/24.1.0
2023-08-19Fixed #34779 -- Avoided unnecessary selection of non-nullable m2m fields ↵Juan Alvarez
without natural keys during serialization. By using `select_related(None)` instead of `select_related()`, the unnecessary joins are completely avoided. Note that the current tests already covers the change, when the field is not `null=True`. Regression in f9936deed1ff13b20e18bd9ca2b0750b52706b6c.
2023-06-04Fixed #34620 -- Fixed serialization crash on m2m fields without natural keys ↵Mariusz Felisiak
when base querysets use select_related(). Regression in 19e0587ee596debf77540d6a08ccb6507e60b6a7. Thanks Martin Svoboda for the report.
2022-09-05Fixed #33937 -- Optimized serialization of related m2m fields without ↵Mark Evans
natural keys.
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2020-06-17Fixed #30583 -- Fixed handling JSONFields in XML serializer.Hasan Ramezani
Co-authored-by: Chason Chaffin <chason@gmail.com>
2020-05-25Fixed #29078 -- Made serializers respect prefetch_related() for m2m fields.Claude Paroz
2018-09-26Refs #29784 -- Switched to https:// links where available.Jon Dufresne
2018-07-13Fixed #26291 -- Allowed loaddata to handle forward references in natural_key ↵Peter Inglesby
fixtures.
2017-12-07Refs #23919 -- Replaced super() calls for old-style classes.Nick Pope
2017-06-20Fixed #28324 -- Made feedgenerators write feeds with deterministically ↵Georg Sauthoff
ordered attributes.
2017-06-05Replaced Model._get_pk_val() with pk property.Tim Graham
Model.pk was added after _get_pk_val() and many places weren't simplified.
2017-04-27Refs #27795 -- Replaced many force_text() with str()Claude Paroz
Thanks Tim Graham for the review.
2017-02-21Refs #27656 -- Updated django.core docstring verbs according to PEP 257.Anton Samarchyan
2017-02-01Refs #23919 -- Replaced kwargs.pop() with keyword-only arguments.Vytis Banaitis
2017-01-25Refs #23919 -- Replaced super(ClassName, self) with super().chillaranand
2017-01-18Refs #23919 -- Removed encoding preambles and future importsClaude Paroz
2016-09-03Replaced smart_* by force_* calls whenever possibleClaude Paroz
The smart_* version should only be used when a lazy string should keep its lazy status.
2016-04-29Fixed #26207 -- Replaced dynamic classes with non-data descriptors for ↵Anssi Kääriäinen
deferred instance loading.
2016-01-25Fixed #26125 -- Fixed E731 flake warnings.userimack
2015-09-12Fixed #23395 -- Limited line lengths to 119 characters.Dražen Odobašić
2015-08-31Fixed #25331 -- Removed trailing blank lines in docstrings.Maxime Lorant
2015-07-02Fixed #25050 -- Allowed serialization of models with deferred fields.Grégoire ROCHER
2015-06-19Fixed #20197 -- Made XML serializer fail loudly when outputting ↵Claude Paroz
unserializable chars Thanks Tim Graham for the review.
2015-05-13Removed unnecessary arguments in .get method callsPiotr Jakimiak
2015-04-02Fixed #24558 -- Made dumpdata mapping ordering deterministic.Simon Charette
Thanks to gfairchild for the report and Claude for the review.
2015-03-25Renamed Field.rel attribute to remote_fieldAnssi Kääriäinen
Field.rel is now deprecated. Rel objects have now also remote_field attribute. This means that self == self.remote_field.remote_field. In addition, made the Rel objects a bit more like Field objects. Still, marked ManyToManyFields as null=True.
2015-02-06Sorted imports with isort; refs #23860.Tim Graham
2015-01-06Fixed #12663 -- Formalized the Model._meta API for retrieving fields.Daniel Pyrathon
Thanks to Russell Keith-Magee for mentoring this Google Summer of Code 2014 project and everyone else who helped with the patch!
2014-11-03Fixed typos using https://github.com/vlajos/misspell_fixerVeres Lajos
2014-01-26Took advantage of the new get_model API. Refs #21702.Aymeric Augustin
2013-12-28Changed get_model to raise an exception on errors.Aymeric Augustin
Returning None on errors required unpythonic error checking and was inconsistent with get_app_config. get_model was a private API until the previous commit, but given that it was certainly used in third party software, the change is explained in the release notes. Applied the same change to get_registered_model, which is a new private API introduced during the recent refactoring.
2013-12-24Renamed AppCache to Apps.Aymeric Augustin
Also renamed app_cache to apps and "app cache" to "app registry". Deprecated AppCache.app_cache_ready() in favor of Apps.ready().
2013-12-22Moved apps back in the toplevel django namespace.Aymeric Augustin
Reverted 4a56a93cc458e9ab4dcab95d9f5067d4975dd1a2.
2013-12-17Moved the new app cache inside core.Aymeric Augustin
2013-12-17Removed module-level functions for the app cache.Aymeric Augustin
Since the original ones in django.db.models.loading were kept only for backwards compatibility, there's no need to recreate them. However, many internals of Django still relied on them. They were also imported in django.db.models. They never appear in the documentation, except a quick mention of get_models and get_app in the 1.2 release notes to document an edge case in GIS. I don't think that makes them a public API. This commit doesn't change the overall amount of global state but clarifies that it's tied to the app_cache object instead of hiding it behind half a dozen functions.