This document is for Django's development version, which can be significantly different from previous releases. For older releases, use the version selector floating in the bottom right corner of this page.
Unsafe usage of JavaScript’s Element.innerHTML could result in XSS in the
admin’s add/change related popup. Element.textContent is now used to
prevent execution of the data.
The debug view also used innerHTML. Although a security issue wasn’t
identified there, out of an abundance of caution it’s also updated to use
textContent.
This document is for Django's development version, which can be significantly different from previous releases. For older releases, use the version selector floating in the bottom right corner of this page.