[1.9.x] Fixed XSS in admin's add/change related popup.

This is a security fix.

2 files changed, 26 insertions, 4 deletions

diff --git a/docs/releases/1.8.14.txt b/docs/releases/1.8.14.txt
index 6311172abc..31a304f7c0 100644
--- a/docs/releases/1.8.14.txt
+++ b/docs/releases/1.8.14.txt
@@ -2,9 +2,20 @@
 Django 1.8.14 release notes
 ===========================
 
-*Under development*
+*July 18, 2016*
 
-Django 1.8.14 fixes several bugs in 1.8.13.
+Django 1.8.14 fixes a security issue and a bug in 1.8.13.
+
+XSS in admin's add/change related popup
+=======================================
+
+Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the
+admin's add/change related popup. ``Element.textContent`` is now used to
+prevent execution of the data.
+
+The debug view also used ``innerHTML``. Although a security issue wasn't
+identified there, out of an abundance of caution it's also updated to use
+``textContent``.
 
 Bugfixes
 ========
diff --git a/docs/releases/1.9.8.txt b/docs/releases/1.9.8.txt
index 8db5c3d01f..08ba5ae08f 100644
--- a/docs/releases/1.9.8.txt
+++ b/docs/releases/1.9.8.txt
@@ -2,9 +2,20 @@
 Django 1.9.8 release notes
 ==========================
 
-*Under development*
+*July 18, 2016*
 
-Django 1.9.8 fixes several bugs in 1.9.7.
+Django 1.9.8 fixes a security issue and several bugs in 1.9.7.
+
+XSS in admin's add/change related popup
+=======================================
+
+Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the
+admin's add/change related popup. ``Element.textContent`` is now used to
+prevent execution of the data.
+
+The debug view also used ``innerHTML``. Although a security issue wasn't
+identified there, out of an abundance of caution it's also updated to use
+``textContent``.
 
 Bugfixes
 ========