June 3, 2019
Django 2.2.2 fixes security issues and several bugs in 2.2.1.
The clickable "Current URL" link generated by AdminURLFieldWidget displayed
the provided value without validating it as a safe URL. Thus, an unvalidated
value stored in the database, or a value provided as a URL query parameter
payload, could result in an clickable JavaScript link.
AdminURLFieldWidget now validates the provided value using
URLValidator before displaying the clickable
link. You may customize the validator by passing a validator_class kwarg to
AdminURLFieldWidget.__init__(), e.g. when using
formfield_overrides.
jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of
Object.prototype pollution. If an unsanitized source object contained an
enumerable __proto__ property, it could extend the native
Object.prototype.
The bundled version of jQuery used by the Django admin has been patched to
allow for the select2 library's use of jQuery.extend().
Meta.ordering contains an expression (#30463).SearchVector generates SQL with a
redundant Coalesce call (#30488).manage.py file when using StatReloader (#30479).ArrayAgg and
StringAgg with ordering
argument when used in a Subquery (#30315).StatReloader
(#30523).8月 03, 2022