diff options
Diffstat (limited to 'docs/releases/1.4.18.txt')
| -rw-r--r-- | docs/releases/1.4.18.txt | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/docs/releases/1.4.18.txt b/docs/releases/1.4.18.txt index b154d872fa..418808d6cc 100644 --- a/docs/releases/1.4.18.txt +++ b/docs/releases/1.4.18.txt @@ -37,7 +37,7 @@ Mitigated possible XSS attack via user-supplied redirect URLs Django relies on user input in some cases (e.g. :func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL. The security checks for these -redirects (namely ``django.util.http.is_safe_url()``) didn't strip leading +redirects (namely ``django.utils.http.is_safe_url()``) didn't strip leading whitespace on the tested URL and as such considered URLs like ``\njavascript:...`` safe. If a developer relied on ``is_safe_url()`` to provide safe redirect targets and put such a URL into a link, they could suffer |