From 93c538694e6b14a29cb0f52b784a3bfed604fda6 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Wed, 6 Jul 2016 15:41:06 -0400 Subject: Fixed XSS in admin's add/change related popup. This is a security fix. --- docs/releases/1.8.14.txt | 15 +++++++++++++-- docs/releases/1.9.8.txt | 15 +++++++++++++-- 2 files changed, 26 insertions(+), 4 deletions(-) (limited to 'docs') diff --git a/docs/releases/1.8.14.txt b/docs/releases/1.8.14.txt index 6311172abc..31a304f7c0 100644 --- a/docs/releases/1.8.14.txt +++ b/docs/releases/1.8.14.txt @@ -2,9 +2,20 @@ Django 1.8.14 release notes =========================== -*Under development* +*July 18, 2016* -Django 1.8.14 fixes several bugs in 1.8.13. +Django 1.8.14 fixes a security issue and a bug in 1.8.13. + +XSS in admin's add/change related popup +======================================= + +Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the +admin's add/change related popup. ``Element.textContent`` is now used to +prevent execution of the data. + +The debug view also used ``innerHTML``. Although a security issue wasn't +identified there, out of an abundance of caution it's also updated to use +``textContent``. Bugfixes ======== diff --git a/docs/releases/1.9.8.txt b/docs/releases/1.9.8.txt index 8db5c3d01f..08ba5ae08f 100644 --- a/docs/releases/1.9.8.txt +++ b/docs/releases/1.9.8.txt @@ -2,9 +2,20 @@ Django 1.9.8 release notes ========================== -*Under development* +*July 18, 2016* -Django 1.9.8 fixes several bugs in 1.9.7. +Django 1.9.8 fixes a security issue and several bugs in 1.9.7. + +XSS in admin's add/change related popup +======================================= + +Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the +admin's add/change related popup. ``Element.textContent`` is now used to +prevent execution of the data. + +The debug view also used ``innerHTML``. Although a security issue wasn't +identified there, out of an abundance of caution it's also updated to use +``textContent``. Bugfixes ======== -- cgit v1.3