[1.8.x] Refs #24461 -- Added test/release notes for XSS issue in ModelAdmin.readonly_fields

This issue was fixed by refs #24464.
2025-10-24 06:06:09 +00:00 · 2015-03-08 11:50:32 +01:00
parent 980d604bf2
commit 35d68e8e76
4 changed files with 33 additions and 3 deletions
--- a/docs/releases/1.7.6.txt
+++ b/docs/releases/1.7.6.txt
@@ -2,9 +2,23 @@
 Django 1.7.6 release notes
 ==========================

-*Under Development*
+*March 9, 2015*

-Django 1.7.6 fixes several bugs in 1.7.5.
+Django 1.7.6 fixes a security issue and several bugs in 1.7.5.
+
+Mitigated an XSS attack via properties in ``ModelAdmin.readonly_fields``
+========================================================================
+
+The :attr:`ModelAdmin.readonly_fields
+<django.contrib.admin.ModelAdmin.readonly_fields>` attribute in the Django
+admin allows displaying model fields and model attributes. While the former
+were correctly escaped, the latter were not. Thus untrusted content could be
+injected into the admin, presenting an exploitation vector for XSS attacks.
+
+In this vulnerability, every model attribute used in ``readonly_fields`` that
+is not an actual model field (e.g. a :class:`property`) will **fail to be
+escaped** even if that attribute is not marked as safe. In this release,
+autoescaping is now correctly applied.

 Bugfixes
 ========