mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

Removed gender-based pronouns per [c0a2daad78].

Browse Source
This commit is contained in:
Tim Graham
2013-11-30 08:37:15 -05:00
parent c0a2daad78
commit f3e7ab366c
12 changed files with 19 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/releases/1.3-beta-1.txt
View File

@@ -73,8 +73,7 @@ The Django admin has long had an undocumented "feature" allowing savvy
users to manipulate the query string of changelist pages to filter the
list of objects displayed. However, this also creates a security
issue, as a staff user with sufficient knowledge of model structure
could use this "feature" to gain access to information he or she would
not normally have.
could use this "feature" to gain access to information not normally accessible.
As a result, changelist filtering now explicitly validates all lookup
arguments in the query string, and permits only fields which are

2
docs/releases/1.4.6.txt
View File

@@ -19,7 +19,7 @@ The security checks for these redirects (namely
``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)``
and as such allowed ``javascript:...`` URLs to be entered. If a developer
relied on ``is_safe_url()`` to provide safe redirect targets and put such a
URL into a link, he or she could suffer from a XSS attack. This bug doesn't affect
URL into a link, they could suffer from a XSS attack. This bug doesn't affect
Django currently, since we only put this URL into the ``Location`` response
header and browsers seem to ignore JavaScript there.

2
docs/releases/1.4.txt
View File

@@ -811,7 +811,7 @@ instance:
* Consequences: The user will see an error about the form having expired
and will be sent back to the first page of the wizard, losing the data
he or she has entered so far.
entered so far.
* Time period: The amount of time you expect users to take filling out the
affected forms.

2
docs/releases/1.5.2.txt
View File

@@ -16,7 +16,7 @@ The security checks for these redirects (namely
``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)``
and as such allowed ``javascript:...`` URLs to be entered. If a developer
relied on ``is_safe_url()`` to provide safe redirect targets and put such a
URL into a link, he or she could suffer from a XSS attack. This bug doesn't affect
URL into a link, they could suffer from a XSS attack. This bug doesn't affect
Django currently, since we only put this URL into the ``Location`` response
header and browsers seem to ignore JavaScript there.