From 82c9169077a066995e3b00aac551bf1c8a89d98a Mon Sep 17 00:00:00 2001 From: Baptiste Mispelon Date: Sun, 8 Mar 2015 11:50:32 +0100 Subject: Refs #24461 -- Added test/release notes for XSS issue in ModelAdmin.readonly_fields This issue was fixed by refs #24464. --- docs/releases/1.7.6.txt | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/releases/1.7.6.txt b/docs/releases/1.7.6.txt index af0907816d..7f54da1474 100644 --- a/docs/releases/1.7.6.txt +++ b/docs/releases/1.7.6.txt @@ -2,9 +2,23 @@ Django 1.7.6 release notes ========================== -*Under Development* +*March 9, 2015* -Django 1.7.6 fixes several bugs in 1.7.5. +Django 1.7.6 fixes a security issue and several bugs in 1.7.5. + +Mitigated an XSS attack via properties in ``ModelAdmin.readonly_fields`` +======================================================================== + +The :attr:`ModelAdmin.readonly_fields +` attribute in the Django +admin allows displaying model fields and model attributes. While the former +were correctly escaped, the latter were not. Thus untrusted content could be +injected into the admin, presenting an exploitation vector for XSS attacks. + +In this vulnerability, every model attribute used in ``readonly_fields`` that +is not an actual model field (e.g. a :class:`property`) will **fail to be +escaped** even if that attribute is not marked as safe. In this release, +autoescaping is now correctly applied. Bugfixes ======== -- cgit v1.3