django.git - django

Age	Commit message (Collapse)	Author
2026-03-03	[6.0.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection.	Natalia
	This simplicaftion mitigates a potential DoS in URLField on Windows. The usage of `urlsplit()` in `URLField.to_python()` was replaced with `str.partition(":")` for URL scheme detection. On Windows, `urlsplit()` performs Unicode normalization which is slow for certain characters, making `URLField` vulnerable to DoS via specially crafted POST payloads. Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger for the review. Refs #36923. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main.
2026-02-24	[6.0.x] Applied Black's 2026 stable style.	Mariusz Felisiak
	https://github.com/psf/black/releases/tag/26.1.0 Backport of 6cff02078799b7c683a0d39630d49ab4fe532e7c from main.
2025-12-31	[6.0.x] Fixed #36829 -- Reverted value of ClearableFileInput.use_fieldset to ↵	Johannes Maron
	True. There was unresolved discussion regarding whether to set ClearableFileInput.use_fieldset to True or False when use_fieldset was introduced in Django 4.1, since the clear checkbox appears only sometimes. Although using <fieldset> is likely desirable, since the primary motivation in #35892 was just to improve markup in the admin, and a deprecation path was not provided for general form usage, future work is deferred to #36828. Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95. Thanks Tim Graham, Antoliny, and David Smith for triage.
2025-08-19	Fixed #35892 -- Supported Widget.use_fieldset in admin forms.	antoliny0919

2025-07-23	Refs #36500 -- Rewrapped long docstrings and block comments via a script.	django-bot
	Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505.
2025-07-23	Refs #36500 -- Shortened some long docstrings and comments.	Mike Edmunds
	Manually reformatted some long docstrings and comments that would be damaged by the to-be-applied autofixer script, in cases where editorial judgment seemed necessary for style or wording changes.
2025-04-09	Fixed #35986 -- Fixed test classes with @translation.override decorator.	Ahmed Nassar
	Co-authored-by: Simon Charette <charette.s@gmail.com>
2025-03-18	Made selenium tests less flaky by waiting until popups are closed and page ↵	Sarah Boyce
	is loaded.
2025-03-01	Applied Black's 2025 stable style.	Mariusz Felisiak
	https://github.com/psf/black/releases/tag/25.1.0
2025-02-18	Refs #36005 -- Used datetime.UTC alias instead of datetime.timezone.utc.	Mariusz Felisiak
	datetime.UTC was added in Python 3.11.
2025-01-17	Fixed invalid HTML in test templates.	Thibaut Decombe

2025-01-15	Refs #34380 -- Changed the URLField default scheme to https and removed ↵	Sarah Boyce
	FORMS_URLFIELD_ASSUME_HTTPS per deprecation timeline.
2025-01-15	Refs #32339 -- Removed transitional form renderers per deprecation timeline.	Sarah Boyce

2025-01-15	Fixed #35521 -- Allowed overriding BoundField class on fields, forms and ↵	Matthias Kestenholz
	renderers. Thank you Sarah Boyce, Carlton Gibson, Tim Schilling and Adam Johnson for reviews. Co-authored-by: Christophe Henry <contact@c-henry.fr> Co-authored-by: David Smith <smithdc@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Co-authored-by: Matthias Kestenholz <mk@feinheit.ch>
2025-01-14	Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation.	Michael Manfre
	Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz Felisiak for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-01-08	Fixed #36014 -- Supported international domains in EmailValidator.	Chaitanya Rahalkar

2025-01-02	Fixed #32819 -- Added aria-describedby to fields with errors.	David Smith

2025-01-02	Fixed #35886 -- Added support for object-based form media script assets.	Johannes Maron

2024-12-17	Refs #32819 -- Added aria-describedby property to BoundField.	David Smith

2024-12-10	Refs #35987 -- Added extra tests for ErrorList and ErrorDict copy methods.	Adam Johnson

2024-12-10	Fixed #35987 -- Made ErrorList.copy() copy the renderer attribute.	Adam Johnson

2024-12-10	Fixed #35988 -- Made BaseForm.full_clean() pass renderer to ErrorDict.	Adam Johnson

2024-12-05	Refs #32819 -- Added id to ErrorList class and template.	David Smith

2024-11-20	Fixed #35913 -- Prevented formset name suffix 'FormFormSet'.	antoliny0919

2024-08-28	Fixed #35666 -- Documented stacklevel usage and testing, and adjusted test ↵	Simon Charette
	suite accordingly. Over the years we've had multiple instances of hit and misses when emitting warnings: either setting the wrong stacklevel or not setting it at all. This work adds assertions for the existing warnings that were declaring the correct stacklevel, but were lacking tests for it.
2024-08-28	Refs #32339 -- Adjusted deprecation warning stacklevel in transitional form ↵	Simon Charette
	renderers.
2024-08-02	Fixed #35601 -- Added TelInput widget.	lucasesposito

2024-08-02	Fixed #35599 -- Added ColorInput widget.	arjunomray

2024-07-31	Fixed #35598 -- Added SearchInput widget.	Jeremy Thompson

2024-07-22	Cleaned up temporary test directories in tests.	Mariusz Felisiak

2024-04-30	Refs #32819 -- Avoided adding 'aria-describedby' to hidden inputs.	David Smith
	Hidden elements are not visible for both accessibility tools and browsers presentation layer. This change therefore only reduces the size of the generated HTML.
2024-03-14	Refs #34488 -- Made ClearableFileInput preserve "Clear" checked attribute ↵	Johannes Maron
	when form is invalid.
2024-01-26	Applied Black's 2024 stable style.	Mariusz Felisiak
	https://github.com/psf/black/releases/tag/24.1.0
2024-01-18	Corrected forms imports in forms_tests/tests/test_forms.py.	Mariusz Felisiak

2024-01-04	Used enterClassContext() where appropriate.	Mariusz Felisiak

2023-12-31	Used addCleanup() in tests where appropriate.	Mariusz Felisiak

2023-11-28	Refs #34380 -- Added FORMS_URLFIELD_ASSUME_HTTPS transitional setting.	Mariusz Felisiak
	This allows early adoption of the new default "https".
2023-11-28	Refs #34986 -- Fixed some test assertions for PyPy.	Nick Pope
	These failures were due to minor inconsistencies or implementation differences between CPython and PyPy.
2023-11-17	Refs #32819 -- Established relationship between form fieldsets and their ↵	David Smith
	help text. This adds aria-describedby for widgets rendered in a fieldset such as radios. aria-describedby for these widgets is added to the <fieldset> element rather than each <input>.
2023-11-17	Refs #32819 -- Added aria-describedby test for widgets with custom id.	David Smith

2023-09-29	Refs #15667 -- Added resetting default renderer when FORM_RENDERER is changed.	Mariusz Felisiak

2023-08-30	Fixed #31262 -- Added support for mappings on model fields and ↵	Nick Pope
	ChoiceField's choices.
2023-08-01	Fixed #32820 -- Added aria-invalid="true" to fields with errors.	Gregor Jerše
	Co-authored-by: Demetris Stavrou <demestav@gmail.com> Co-authored-by: David Smith <smithdc@gmail.com>
2023-07-31	Refs #34655 -- Made cosmetic edits to RadioSelect tests.	nessita
	Follow up to f9c5958b8fe452983122b6a13c8f806e4e4e1eef.
2023-07-28	Fixed #34655 -- Increased radioselect's test coverage.	Jakub Bagiński

2023-07-24	Fixed #34532 -- Made formset_factory() respect Form's default_renderer.	Christopher Cave-Ayland
	Co-authored-by: David Smith <smithdc@gmail.com>
2023-07-12	Fixed #34705 -- Reallowed BoundField.as_widget()'s attrs argument to set ↵	Sage Abdullah
	aria-describedby. Regression in 966ecdd482167f3f6b08b00f484936c837751cb9.
2023-07-06	Fixed #32819 -- Established relationship between form fields and their help ↵	Gregor Jerše
	text. Thanks Nimra for the initial patch. Thanks Natalia Bidart, Thibaud Colas, David Smith, and Mariusz Felisiak for reviews.
2023-07-03	Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and ↵	Mariusz Felisiak
	URLValidator. Thanks Seokchan Yoon for reports.
2023-06-16	Fixed #34473 -- Fixed step validation for form fields with non-zero minimum ↵	Jacob Rief
	value.