mirror of
https://github.com/django/django.git
synced 2024-12-23 01:25:58 +00:00
Moved two paragraphs from "deprecated features" to "backwards-incompatible changes", where they belong.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17354 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
cd46863043
commit
c51c9b3ce6
@ -920,6 +920,22 @@ whose primary use is to load fixtures consisting of simple objects. Even though
|
||||
fixtures are trusted data, the YAML deserializer now uses ``yaml.safe_load``
|
||||
for additional security.
|
||||
|
||||
Session cookies now have the ``httponly`` flag by default
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Session cookies now include the ``httponly`` attribute by default to
|
||||
help reduce the impact of potential XSS attacks. For strict backwards
|
||||
compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file.
|
||||
|
||||
The :tfilter:`urlize` filter no longer escapes every URL
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
When an URL contains a ``%xx`` sequence, where ``xx`` are two hexadecimal
|
||||
digits, :tfilter:`urlize` assumes that the URL is already escaped, and doesn't
|
||||
apply URL escaping again. This is wrong for URLs whose unquoted form contains
|
||||
a ``%xx`` sequence, but such URLs are very unlikely to happen in the wild,
|
||||
since they would confuse browsers too.
|
||||
|
||||
Features deprecated in 1.4
|
||||
==========================
|
||||
|
||||
@ -1053,22 +1069,6 @@ Now, the flags are keyword arguments of :meth:`@register.filter
|
||||
|
||||
See :ref:`filters and auto-escaping <filters-auto-escaping>` for more information.
|
||||
|
||||
The :tfilter:`urlize` filter no longer escapes every URL
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
When an URL contains a ``%xx`` sequence, where ``xx`` are two hexadecimal
|
||||
digits, :tfilter:`urlize` assumes that the URL is already escaped, and doesn't
|
||||
apply URL escaping again. This is wrong for URLs whose unquoted form contains
|
||||
a ``%xx`` sequence, but such URLs are very unlikely to happen in the wild,
|
||||
since they would confuse browsers too.
|
||||
|
||||
Session cookies now have the ``httponly`` flag by default
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Session cookies now include the ``httponly`` attribute by default to
|
||||
help reduce the impact of potential XSS attacks. For strict backwards
|
||||
compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file.
|
||||
|
||||
Wildcard expansion of application names in `INSTALLED_APPS`
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user