diff options
| author | Tim Graham <timograham@gmail.com> | 2015-02-20 09:20:38 -0500 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-02-20 09:21:39 -0500 |
| commit | dd0b487872de4e3ff966da51e3610bac996e44f0 (patch) | |
| tree | a2f8155e195e76078e8b85cfdee4db84de17753b /docs/releases/1.4.18.txt | |
| parent | d28bcba209fa3f90f92ce2fd216baf5b5800d143 (diff) | |
Fixed typo in path to is_safe_url()
Diffstat (limited to 'docs/releases/1.4.18.txt')
| -rw-r--r-- | docs/releases/1.4.18.txt | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/docs/releases/1.4.18.txt b/docs/releases/1.4.18.txt index b154d872fa..418808d6cc 100644 --- a/docs/releases/1.4.18.txt +++ b/docs/releases/1.4.18.txt @@ -37,7 +37,7 @@ Mitigated possible XSS attack via user-supplied redirect URLs Django relies on user input in some cases (e.g. :func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL. The security checks for these -redirects (namely ``django.util.http.is_safe_url()``) didn't strip leading +redirects (namely ``django.utils.http.is_safe_url()``) didn't strip leading whitespace on the tested URL and as such considered URLs like ``\njavascript:...`` safe. If a developer relied on ``is_safe_url()`` to provide safe redirect targets and put such a URL into a link, they could suffer |