mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 01:25:32 +00:00
Code Issues 32 Releases Wiki Activity

Moved two paragraphs from "deprecated features" to "backwards-incompatible changes", where they belong.

Browse Source 
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17354 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Aymeric Augustin
2012-01-07 21:47:38 +00:00
parent cd46863043
commit c51c9b3ce6
1 changed files with 16 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
docs/releases/1.4.txt
View File

@@ -920,6 +920,22 @@ whose primary use is to load fixtures consisting of simple objects. Even though
fixtures are trusted data, the YAML deserializer now uses ``yaml.safe_load``
for additional security.
Session cookies now have the ``httponly`` flag by default
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Session cookies now include the ``httponly`` attribute by default to
help reduce the impact of potential XSS attacks. For strict backwards
compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file.
The :tfilter:`urlize` filter no longer escapes every URL
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When an URL contains a ``%xx`` sequence, where ``xx`` are two hexadecimal
digits, :tfilter:`urlize` assumes that the URL is already escaped, and doesn't
apply URL escaping again. This is wrong for URLs whose unquoted form contains
a ``%xx`` sequence, but such URLs are very unlikely to happen in the wild,
since they would confuse browsers too.
Features deprecated in 1.4
==========================
@@ -1053,22 +1069,6 @@ Now, the flags are keyword arguments of :meth:`@register.filter
See :ref:`filters and auto-escaping <filters-auto-escaping>` for more information.
The :tfilter:`urlize` filter no longer escapes every URL
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When an URL contains a ``%xx`` sequence, where ``xx`` are two hexadecimal
digits, :tfilter:`urlize` assumes that the URL is already escaped, and doesn't
apply URL escaping again. This is wrong for URLs whose unquoted form contains
a ``%xx`` sequence, but such URLs are very unlikely to happen in the wild,
since they would confuse browsers too.
Session cookies now have the ``httponly`` flag by default
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Session cookies now include the ``httponly`` attribute by default to
help reduce the impact of potential XSS attacks. For strict backwards
compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file.
Wildcard expansion of application names in `INSTALLED_APPS`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~