From 73c5e94521c5b97e27cd2fe2d5b5c2e65f402755 Mon Sep 17 00:00:00 2001 From: Jacob Walls Date: Wed, 7 Jan 2026 16:23:48 -0500 Subject: Refs #36769 -- Raised SuspiciousOperation for unexpected nested tags in XML Deserializer. Thanks Shai Berger and Natalia Bidart for reviews. --- docs/releases/6.1.txt | 4 ++++ docs/topics/serialization.txt | 8 +++++++- 2 files changed, 11 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/releases/6.1.txt b/docs/releases/6.1.txt index b5b47a11d8..57129bfb66 100644 --- a/docs/releases/6.1.txt +++ b/docs/releases/6.1.txt @@ -303,6 +303,10 @@ Serialization ``()``. This ensures primary keys are serialized when using :option:`dumpdata --natural-primary`. +* The XML deserializer now raises + :exc:`~django.core.exceptions.SuspiciousOperation` when it encounters + unexpected nested tags. + Signals ~~~~~~~ diff --git a/docs/topics/serialization.txt b/docs/topics/serialization.txt index f801df0561..1a129072e0 100644 --- a/docs/topics/serialization.txt +++ b/docs/topics/serialization.txt @@ -198,7 +198,8 @@ lowercase name of the model ("session") separated by a dot. Each field of the object is serialized as a ````-element sporting the fields "type" and "name". The text content of the element represents the value -that should be stored. +that should be stored. (If the element contains child tags, +:exc:`~django.core.exceptions.SuspiciousOperation` is raised.) Foreign keys and other relational fields are treated a little bit differently: @@ -237,6 +238,11 @@ This example links the given user with the permission models with PKs 46 and XHTML, XML and Control Codes `_. +.. versionchanged:: 6.1 + + :exc:`~django.core.exceptions.SuspiciousOperation` is raised when + unexpected nested tags are found. + .. _serialization-formats-json: JSON -- cgit v1.3