Author: aaugustin Date: 2012-01-07 13:47:38 -0800 (Sat, 07 Jan 2012) New Revision: 17354
Modified: django/trunk/docs/releases/1.4.txt Log: Moved two paragraphs from "deprecated features" to "backwards-incompatible changes", where they belong. Modified: django/trunk/docs/releases/1.4.txt =================================================================== --- django/trunk/docs/releases/1.4.txt 2012-01-07 21:42:37 UTC (rev 17353) +++ django/trunk/docs/releases/1.4.txt 2012-01-07 21:47:38 UTC (rev 17354) @@ -920,6 +920,22 @@ fixtures are trusted data, the YAML deserializer now uses ``yaml.safe_load`` for additional security. +Session cookies now have the ``httponly`` flag by default +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Session cookies now include the ``httponly`` attribute by default to +help reduce the impact of potential XSS attacks. For strict backwards +compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file. + +The :tfilter:`urlize` filter no longer escapes every URL +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When an URL contains a ``%xx`` sequence, where ``xx`` are two hexadecimal +digits, :tfilter:`urlize` assumes that the URL is already escaped, and doesn't +apply URL escaping again. This is wrong for URLs whose unquoted form contains +a ``%xx`` sequence, but such URLs are very unlikely to happen in the wild, +since they would confuse browsers too. + Features deprecated in 1.4 ========================== @@ -1053,22 +1069,6 @@ See :ref:`filters and auto-escaping <filters-auto-escaping>` for more information. -The :tfilter:`urlize` filter no longer escapes every URL -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -When an URL contains a ``%xx`` sequence, where ``xx`` are two hexadecimal -digits, :tfilter:`urlize` assumes that the URL is already escaped, and doesn't -apply URL escaping again. This is wrong for URLs whose unquoted form contains -a ``%xx`` sequence, but such URLs are very unlikely to happen in the wild, -since they would confuse browsers too. - -Session cookies now have the ``httponly`` flag by default -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Session cookies now include the ``httponly`` attribute by default to -help reduce the impact of potential XSS attacks. For strict backwards -compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file. - Wildcard expansion of application names in `INSTALLED_APPS` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com. To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.
