June 3, 2019
Django 1.11.21 fixes a security issue in 1.11.20.
The clickable “Current URL” link generated by AdminURLFieldWidget
displayed
the provided value without validating it as a safe URL. Thus, an unvalidated
value stored in the database, or a value provided as a URL query parameter
payload, could result in an clickable JavaScript link.
AdminURLFieldWidget
now validates the provided value using
URLValidator
before displaying the clickable
link. You may customize the validator by passing a validator_class
kwarg to
AdminURLFieldWidget.__init__()
, e.g. when using
formfield_overrides
.
Jun 14, 2020