February 1, 2022
Django 4.0.2 fixes two security issues with severity “medium” and several bugs in 4.0.1. Also, the latest string translations from Transifex are incorporated, with a special mention for Bulgarian (fully translated).
{% debug %}
template tag¶The {% debug %}
template tag didn’t properly encode the current context,
posing an XSS attack vector.
In order to avoid this vulnerability, {% debug %}
no longer outputs
information when the DEBUG
setting is False
, and it ensures all context
variables are correctly escaped when the DEBUG
setting is True
.
Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
Fixed a bug in Django 4.0 where TestCase.captureOnCommitCallbacks()
could
execute callbacks multiple times (#33410).
Fixed a regression in Django 4.0 where help_text
was HTML-escaped in
automatically-generated forms (#33419).
Fixed a regression in Django 4.0 that caused displaying an incorrect name for class-based views on the technical 404 debug page (#33425).
Fixed a regression in Django 4.0 that caused an incorrect repr
of
ResolverMatch
for class-based views (#33426).
Fixed a regression in Django 4.0 that caused a crash of makemigrations
on
models without Meta.order_with_respect_to
but with a field named
_order
(#33449).
Fixed a regression in Django 4.0 that caused incorrect
ModelAdmin.radio_fields
layout in the admin (#33407).
Fixed a duplicate operation regression in Django 4.0 that caused a migration crash when altering a primary key type for a concrete parent model referenced by a foreign key (#33462).
Fixed a bug in Django 4.0 that caused a crash of QuerySet.aggregate()
after annotate()
on an aggregate function with a
default (#33468).
Fixed a regression in Django 4.0 that caused a crash of makemigrations
when renaming a field of a renamed model (#33480).
Sep 03, 2024