diff options
Diffstat (limited to 'docs/releases/1.7.3.txt')
| -rw-r--r-- | docs/releases/1.7.3.txt | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/docs/releases/1.7.3.txt b/docs/releases/1.7.3.txt index 46785bf4a6..2f3c9c7f49 100644 --- a/docs/releases/1.7.3.txt +++ b/docs/releases/1.7.3.txt @@ -36,7 +36,7 @@ Mitigated possible XSS attack via user-supplied redirect URLs Django relies on user input in some cases (e.g. :func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL. The security checks for these -redirects (namely ``django.util.http.is_safe_url()``) didn't strip leading +redirects (namely ``django.utils.http.is_safe_url()``) didn't strip leading whitespace on the tested URL and as such considered URLs like ``\njavascript:...`` safe. If a developer relied on ``is_safe_url()`` to provide safe redirect targets and put such a URL into a link, they could suffer |