Django 1.11.21 release notes¶

June 3, 2019

Django 1.11.21 fixes a security issue in 1.11.20.

CVE-2019-12308: AdminURLFieldWidget XSS¶

The clickable “Current URL” link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customize the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using formfield_overrides.

Django 1.11.22 release notes

Django 1.11.20 release notes

Django 1.11.21 release notes
- CVE-2019-12308: AdminURLFieldWidget XSS

Browse

FAQ: Try the FAQ — it's got answers to many common questions.
Index, Module Index, or Table of Contents: Handy when looking for specific information.
django-users mailing list: Search for information in the archives of the django-users mailing list, or post a question.
#django IRC channel: Ask a question in the #django IRC channel, or search the IRC logs to see if it’s been asked before.
Django Discord Server: Join the Django Discord Community.
Official Django Forum: Join the community on the Django Forum.
Ticket tracker: Report bugs with Django or Django documentation in our ticket tracker.

Download:

Offline (Django 2.1): HTML | PDF | ePub
Provided by Read the Docs.

Documentation

Django 1.11.21 release notes¶

CVE-2019-12308: AdminURLFieldWidget XSS¶

Additional Information

Support Django!

Contents

Browse

You are here:

Getting help

Download:

Django Links

Learn More

Get Involved

Get Help

Follow Us

Support Us