February 1, 2022
Django 4.0.2 fixes two security issues with severity « medium » and several bugs in 4.0.1. Also, the latest string translations from Transifex are incorporated, with a special mention for Bulgarian (fully translated).
{% debug %}
template tag¶The {% debug %}
template tag didn’t properly encode the current context,
posing an XSS attack vector.
In order to avoid this vulnerability, {% debug %}
no longer outputs
information when the DEBUG
setting is False
, and it ensures all context
variables are correctly escaped when the DEBUG
setting is True
.
Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
Correction d’un bogue dans Django 4.0 où TestCase.captureOnCommitCallbacks()
pouvait exécuter des fonctions de rappel plusieurs fois (#33410).
Correction d’une régression dans Django 4.0 où le contenu potentiellement en HTML de help_text
était échappé dans les formulaires générés automatiquement.
Fixed a regression in Django 4.0 that caused displaying an incorrect name for class-based views on the technical 404 debug page (#33425).
Fixed a regression in Django 4.0 that caused an incorrect repr
of
ResolverMatch
for class-based views (#33426).
Fixed a regression in Django 4.0 that caused a crash of makemigrations
on
models without Meta.order_with_respect_to
but with a field named
_order
(#33449).
Fixed a regression in Django 4.0 that caused incorrect
ModelAdmin.radio_fields
layout in the admin (#33407).
Fixed a duplicate operation regression in Django 4.0 that caused a migration crash when altering a primary key type for a concrete parent model referenced by a foreign key (#33462).
Fixed a bug in Django 4.0 that caused a crash of QuerySet.aggregate()
after annotate()
on an aggregate function with a
default (#33468).
Fixed a regression in Django 4.0 that caused a crash of makemigrations
when renaming a field of a renamed model (#33480).
avr. 05, 2025