Mengurangi kemungkinan serangan XSS melalui mengalihkan URL penyediaan-pengguna¶

Django relies on user input in some cases (e.g. django.contrib.auth.views.login(), django.contrib.comments, and i18n) to redirect the user to an "on success" URL. The security checks for these redirects (namely django.utils.http.is_safe_url()) didn't check if the scheme is http(s) and as such allowed javascript:... URLs to be entered. If a developer relied on is_safe_url() to provide safe redirect targets and put such a URL into a link, they could suffer from a XSS attack. This bug doesn't affect Django currently, since we only put this URL into the Location response header and browsers seem to ignore JavaScript there.

Perbaikan kesalahan¶

• Diperbaiki sebuah kesalahan mengaburkan dengan penghias override_settings(). Jika anda mengenai sebuah pengecualian ``AttributeError: 'Settings' object has no attribute '_original_allowed_hosts'`, itu mungkin diperbaiki (#20636).