September 5, 2017
Django 1.11.5 fixes a security issue and several bugs in 1.11.4.
In older versions, HTML autoescaping was disabled in a portion of the template
for the technical 500 debug page. Given the right circumstances, this allowed
a cross-site scripting attack. This vulnerability shouldn’t affect most
production sites since you shouldn’t run with DEBUG = True
(which makes
this page accessible) in your production settings.
cx_Oracle
6 (#28498).'use_returning_into': False
is in the OPTIONS
part of DATABASES
.
The pre-1.11 naming scheme is now restored. Unfortunately, it necessarily
requires an update to Oracle tables created with Django 1.11.[1-4]. Use the
upgrade script in #28451 comment 8 to update sequence and trigger
names to use the pre-1.11 naming scheme.LogoutView
, for equivalence with the
function-based logout()
view (#28513).pages_per_range
from BrinIndex.deconstruct()
if it’s None
(#25809).SelectDateWidget
localized the years in the
select box (#28530).runserver
crashed with non-Unicode
system encodings on Python 2 + Windows (#28487).ManyToManyField
weren’t logged in the admin change history (#27998) and prevented
ManyToManyField
initial data in model forms from being affected by
subsequent model changes (#28543).AssertionError
crash in some
queries with multiple joins (#26522).contrib.auth
’s login()
and logout()
views
where they ignored positional arguments (#28550).Oct 31, 2018