From c51c9b3ce61239ec2a11df56baf24106738bb44a Mon Sep 17 00:00:00 2001 From: Aymeric Augustin Date: Sat, 7 Jan 2012 21:47:38 +0000 Subject: [PATCH] Moved two paragraphs from "deprecated features" to "backwards-incompatible changes", where they belong. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17354 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- docs/releases/1.4.txt | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/docs/releases/1.4.txt b/docs/releases/1.4.txt index d4c723fea5..ea3e9a7fc9 100644 --- a/docs/releases/1.4.txt +++ b/docs/releases/1.4.txt @@ -920,6 +920,22 @@ whose primary use is to load fixtures consisting of simple objects. Even though fixtures are trusted data, the YAML deserializer now uses ``yaml.safe_load`` for additional security. +Session cookies now have the ``httponly`` flag by default +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Session cookies now include the ``httponly`` attribute by default to +help reduce the impact of potential XSS attacks. For strict backwards +compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file. + +The :tfilter:`urlize` filter no longer escapes every URL +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When an URL contains a ``%xx`` sequence, where ``xx`` are two hexadecimal +digits, :tfilter:`urlize` assumes that the URL is already escaped, and doesn't +apply URL escaping again. This is wrong for URLs whose unquoted form contains +a ``%xx`` sequence, but such URLs are very unlikely to happen in the wild, +since they would confuse browsers too. + Features deprecated in 1.4 ========================== @@ -1053,22 +1069,6 @@ Now, the flags are keyword arguments of :meth:`@register.filter See :ref:`filters and auto-escaping ` for more information. -The :tfilter:`urlize` filter no longer escapes every URL -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -When an URL contains a ``%xx`` sequence, where ``xx`` are two hexadecimal -digits, :tfilter:`urlize` assumes that the URL is already escaped, and doesn't -apply URL escaping again. This is wrong for URLs whose unquoted form contains -a ``%xx`` sequence, but such URLs are very unlikely to happen in the wild, -since they would confuse browsers too. - -Session cookies now have the ``httponly`` flag by default -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Session cookies now include the ``httponly`` attribute by default to -help reduce the impact of potential XSS attacks. For strict backwards -compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file. - Wildcard expansion of application names in `INSTALLED_APPS` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~