Django 1.8.14 release notes
July 18, 2016
Django 1.8.14 fixes a security issue and a bug in 1.8.13.
XSS in admin’s add/change related popup
Unsafe usage of JavaScript’s Element.innerHTML
could result in XSS in the admin’s add/change related popup. Element.textContent
is now used to prevent execution of the data.
The debug view also used innerHTML
. Although a security issue wasn’t identified there, out of an abundance of caution it’s also updated to use textContent
.
漏洞修复
- Fixed missing
varchar/text_pattern_ops
index onCharField
andTextField
respectively when usingAddField
on PostgreSQL (#26889).