[2.0.x] Forwardported 1.11.21 release notes.

2 files changed, 22 insertions, 0 deletions

diff --git a/docs/releases/1.11.21.txt b/docs/releases/1.11.21.txt
new file mode 100644
index 0000000000..3da7a78612
--- /dev/null
+++ b/docs/releases/1.11.21.txt
@@ -0,0 +1,21 @@
+============================
+Django 1.11.21 release notes
+============================
+
+*June 3, 2019*
+
+Django 1.11.21 fixes a security issue in 1.11.20.
+
+CVE-2019-12308: AdminURLFieldWidget XSS
+---------------------------------------
+
+The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed
+the provided value without validating it as a safe URL. Thus, an unvalidated
+value stored in the database, or a value provided as a URL query parameter
+payload, could result in an clickable JavaScript link.
+
+``AdminURLFieldWidget`` now validates the provided value using
+:class:`~django.core.validators.URLValidator` before displaying the clickable
+link. You may customise the validator by passing a ``validator_class`` kwarg to
+``AdminURLFieldWidget.__init__()``, e.g. when using
+:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index 6dafcb075f..38ab2fb1e2 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -45,6 +45,7 @@ versions of the documentation contain the release notes for any later releases.
 .. toctree::
    :maxdepth: 1
 
+   1.11.21
    1.11.20
    1.11.19
    1.11.18