February 1, 2022
Django 4.0.2 fixes two security issues with severity „medium” and several bugs in 4.0.1. Also, the latest string translations from Transifex are incorporated, with a special mention for Bulgarian (fully translated).
{% debug %} template tag¶The {% debug %} template tag didn’t properly encode the current context,
posing an XSS attack vector.
In order to avoid this vulnerability, {% debug %} no longer outputs
information when the DEBUG setting is False, and it ensures all context
variables are correctly escaped when the DEBUG setting is True.
Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
TestCase.captureOnCommitCallbacks() could
execute callbacks multiple times (#33410).help_text was HTML-escaped in
automatically-generated forms (#33419).repr of
ResolverMatch for class-based views (#33426).makemigrations on
models without Meta.order_with_respect_to but with a field named
_order (#33449).ModelAdmin.radio_fields layout in the admin (#33407).QuerySet.aggregate()
after annotate() on an aggregate function with a
default (#33468).makemigrations
when renaming a field of a renamed model (#33480).sie 06, 2024