==========================
Django 4.0.2 release notes
==========================

*February 1, 2022*

Django 4.0.2 fixes two security issues with severity "medium" and several bugs
in 4.0.1. Also, the latest string translations from Transifex are incorporated,
with a special mention for Bulgarian (fully translated).

CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
=============================================================

The ``{% debug %}`` template tag didn't properly encode the current context,
posing an XSS attack vector.

In order to avoid this vulnerability, ``{% debug %}`` no longer outputs
information when the ``DEBUG`` setting is ``False``, and it ensures all context
variables are correctly escaped when the ``DEBUG`` setting is ``True``.

CVE-2022-23833: Denial-of-service possibility in file uploads
=============================================================

Passing certain inputs to multipart forms could result in an infinite loop when
parsing files.

Bugfixes
========

* Fixed a bug in Django 4.0 where ``TestCase.captureOnCommitCallbacks()`` could
  execute callbacks multiple times (:ticket:`33410`).

* Fixed a regression in Django 4.0 where ``help_text`` was HTML-escaped in
  automatically-generated forms (:ticket:`33419`).

* Fixed a regression in Django 4.0 that caused displaying an incorrect name for
  class-based views on the technical 404 debug page (:ticket:`33425`).

* Fixed a regression in Django 4.0 that caused an incorrect ``repr`` of
  ``ResolverMatch`` for class-based views (:ticket:`33426`).

* Fixed a regression in Django 4.0 that caused a crash of ``makemigrations`` on
  models without ``Meta.order_with_respect_to`` but with a field named
  ``_order`` (:ticket:`33449`).

* Fixed a regression in Django 4.0 that caused incorrect
  :attr:`.ModelAdmin.radio_fields` layout in the admin (:ticket:`33407`).

* Fixed a duplicate operation regression in Django 4.0 that caused a migration
  crash when altering a primary key type for a concrete parent model referenced
  by a foreign key (:ticket:`33462`).

* Fixed a bug in Django 4.0 that caused a crash of ``QuerySet.aggregate()``
  after ``annotate()`` on an aggregate function with a
  :ref:`default <aggregate-default>` (:ticket:`33468`).

* Fixed a regression in Django 4.0 that caused a crash of ``makemigrations``
  when renaming a field of a renamed model (:ticket:`33480`).