diff options
author | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-08-14 17:39:21 +0200 |
---|---|---|
committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2019-09-02 15:32:23 +0200 |
commit | 4f61810751751b8c5070ce038ea57e949650e9e3 (patch) | |
tree | 7fdc414994aba15b3931b3917829abb290bb7468 /docs/releases/3.0.txt | |
parent | 13a8884a08342817094cc6287c7ae346100a297d (diff) | |
download | django-4f61810751751b8c5070ce038ea57e949650e9e3.tar.gz |
Fixed #30747 -- Renamed is_safe_url() to url_has_allowed_host_and_scheme().
Diffstat (limited to 'docs/releases/3.0.txt')
-rw-r--r-- | docs/releases/3.0.txt | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/releases/3.0.txt b/docs/releases/3.0.txt index 910d3a2592..52d435d5d5 100644 --- a/docs/releases/3.0.txt +++ b/docs/releases/3.0.txt @@ -601,6 +601,14 @@ Miscellaneous :func:`html.unescape`. Note that unlike ``unescape_entities()``, ``html.unescape()`` evaluates lazy strings immediately. +* To avoid possible confusion as to effective scope, the private internal + utility ``is_safe_url()`` is renamed to + ``url_has_allowed_host_and_scheme()``. That a URL has an allowed host and + scheme doesn't in general imply that it's "safe". It may still be quoted + incorrectly, for example. Ensure to also use + :func:`~django.utils.encoding.iri_to_uri` on the path component of untrusted + URLs. + .. _removed-features-3.0: Features removed in 3.0 |