Skip to content

Commit

Permalink
Moved two paragraphs from "deprecated features" to "backwards-incompa…
Browse files Browse the repository at this point in the history 
…tible changes", where they belong.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17354 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information
@aaugustin
aaugustin committed Jan 7, 2012
1 parent cd46863 commit c51c9b3
Showing 1 changed file with 16 additions and 16 deletions.
32 changes: 16 additions & 16 deletions docs/releases/1.4.txt
View file
Expand Up @@ -920,6 +920,22 @@ whose primary use is to load fixtures consisting of simple objects. Even though
fixtures are trusted data, the YAML deserializer now uses ``yaml.safe_load`` fixtures are trusted data, the YAML deserializer now uses ``yaml.safe_load``
for additional security. for additional security.


Session cookies now have the ``httponly`` flag by default
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Session cookies now include the ``httponly`` attribute by default to
help reduce the impact of potential XSS attacks. For strict backwards
compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file.

The :tfilter:`urlize` filter no longer escapes every URL
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

When an URL contains a ``%xx`` sequence, where ``xx`` are two hexadecimal
digits, :tfilter:`urlize` assumes that the URL is already escaped, and doesn't
apply URL escaping again. This is wrong for URLs whose unquoted form contains
a ``%xx`` sequence, but such URLs are very unlikely to happen in the wild,
since they would confuse browsers too.

Features deprecated in 1.4 Features deprecated in 1.4
========================== ==========================


Expand Down Expand Up @@ -1053,22 +1069,6 @@ Now, the flags are keyword arguments of :meth:`@register.filter


See :ref:`filters and auto-escaping <filters-auto-escaping>` for more information. See :ref:`filters and auto-escaping <filters-auto-escaping>` for more information.


The :tfilter:`urlize` filter no longer escapes every URL
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

When an URL contains a ``%xx`` sequence, where ``xx`` are two hexadecimal
digits, :tfilter:`urlize` assumes that the URL is already escaped, and doesn't
apply URL escaping again. This is wrong for URLs whose unquoted form contains
a ``%xx`` sequence, but such URLs are very unlikely to happen in the wild,
since they would confuse browsers too.

Session cookies now have the ``httponly`` flag by default
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Session cookies now include the ``httponly`` attribute by default to
help reduce the impact of potential XSS attacks. For strict backwards
compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file.

Wildcard expansion of application names in `INSTALLED_APPS` Wildcard expansion of application names in `INSTALLED_APPS`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Expand Down

0 comments on commit c51c9b3

Please sign in to comment.