diff options
| author | Erik Romijn <eromijn@solidlinks.nl> | 2015-03-08 12:34:55 +0100 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-03-09 09:31:07 -0400 |
| commit | d16e4e1d6f95e6f46bff53cc4fd0ab398b8e5059 (patch) | |
| tree | fd55dc8c6ca371bd2c00708aab3643e3cb373574 /docs/releases | |
| parent | 3a0fe942ddf56ddcf4b958147f3914fe2788db30 (diff) | |
[1.8.x] Fixed #24464 -- Made built-in HTML template filter functions escape their input by default.
This may cause some backwards compatibility issues, but may also
resolve security issues in third party projects that fail to heed warnings
in our documentation.
Thanks Markus Holtermann for help with tests and docs.
Backport of fa350e2f303572ee8f9a8302dda45a12288d3d95 from master
Diffstat (limited to 'docs/releases')
| -rw-r--r-- | docs/releases/1.8.txt | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/docs/releases/1.8.txt b/docs/releases/1.8.txt index a88b406a32..b7593c85ce 100644 --- a/docs/releases/1.8.txt +++ b/docs/releases/1.8.txt @@ -1011,6 +1011,26 @@ those writing third-party backends in updating their code: now takes a second argument named ``obj_id`` which is the serialized identifier used to retrieve the object before deletion. +Default autoescaping of functions in ``django.template.defaultfilters`` +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In order to make built-in template filters that output HTML "safe by default" +when calling them in Python code, the following functions in +``django.template.defaultfilters`` have been changed to automatically escape +their input value: + +* ``join`` +* ``linebreaksbr`` +* ``linebreaks_filter`` +* ``linenumbers`` +* ``unordered_list`` +* ``urlize`` +* ``urlizetrunc`` + +You can revert to the old behavior by specifying ``autoescape=False`` if you +are passing trusted content. This change doesn't have any effect when using +the corresponding filters in templates. + Miscellaneous ~~~~~~~~~~~~~ |