Fixed #30747 -- Renamed is_safe_url() to url_has_allowed_host_and_scheme().

author: Carlton Gibson <carlton.gibson@noumenal.es> 2019-08-14 17:39:21 +0200
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2019-09-02 15:32:23 +0200
commit: 4f61810751751b8c5070ce038ea57e949650e9e3 (patch)
tree: 7fdc414994aba15b3931b3917829abb290bb7468 /docs/releases/3.0.txt
parent: 13a8884a08342817094cc6287c7ae346100a297d (diff)
download: django-4f61810751751b8c5070ce038ea57e949650e9e3.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/releases/3.0.txt b/docs/releases/3.0.txt
index 910d3a2592..52d435d5d5 100644
--- a/docs/releases/3.0.txt
+++ b/docs/releases/3.0.txt
@@ -601,6 +601,14 @@ Miscellaneous
   :func:`html.unescape`. Note that unlike ``unescape_entities()``,
   ``html.unescape()`` evaluates lazy strings immediately.
 
+* To avoid possible confusion as to effective scope, the private internal
+  utility ``is_safe_url()`` is renamed to
+  ``url_has_allowed_host_and_scheme()``. That a URL has an allowed host and
+  scheme doesn't in general imply that it's "safe". It may still be quoted
+  incorrectly, for example. Ensure to also use
+  :func:`~django.utils.encoding.iri_to_uri` on the path component of untrusted
+  URLs.
+
 .. _removed-features-3.0:
 
 Features removed in 3.0
author	Carlton Gibson <carlton.gibson@noumenal.es>	2019-08-14 17:39:21 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2019-09-02 15:32:23 +0200
commit	4f61810751751b8c5070ce038ea57e949650e9e3 (patch)
tree	7fdc414994aba15b3931b3917829abb290bb7468 /docs/releases/3.0.txt
parent	13a8884a08342817094cc6287c7ae346100a297d (diff)
download	django-4f61810751751b8c5070ce038ea57e949650e9e3.tar.gz