You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/topics/release-notes.md
+12-2
Original file line number
Diff line number
Diff line change
@@ -40,13 +40,22 @@ You can determine your currently installed version using `pip freeze`:
40
40
41
41
## 2.2.x series
42
42
43
-
### Master
43
+
### 2.2.1
44
44
45
+
**Date**: 22nd Feb 2013
46
+
47
+
* Security fix: Use `defusedxml` package to address XML parsing vulnerabilities.
48
+
* Raw data tab added to browseable API. (Eg. Allow for JSON input.)
45
49
* Added TimeField.
46
-
* Serializer fields can be mapped to any method that takes no args, or only takes kwargs which have defaults.
50
+
* Serializer fields can be mapped to any method that takes no args, or only takes kwargs which have defaults.
51
+
* Unicode support for view names/descriptions in browseable API.
47
52
* Bugfix: request.DATA should return an empty `QueryDict` with no data, not `None`.
48
53
* Bugfix: Remove unneeded field validation, which caused extra queries.
49
54
55
+
**Security note**: Following the [disclosure of security vulnerabilities][defusedxml-announce] in Python's XML parsing libraries, use of the `XMLParser` class now requires the `defusedxml` package to be installed.
56
+
57
+
The security vulnerabilities only affect APIs which use the `XMLParser` class, by enabling it in any views, or by having it set in the `DEFAULT_PARSER_CLASSES` setting. Note that the `XMLParser` class is not enabled by default, so this change should affect a minority of users.
58
+
50
59
### 2.2.0
51
60
52
61
**Date**: 13th Feb 2013
@@ -389,6 +398,7 @@ This change will not affect user code, so long as it's following the recommended
0 commit comments