Updated capitalization in the word "JavaScript" for consistency

In each major release, all ``RemovedInDjangoXXWarning``\s matching the new

version are removed.

Javascript patches

JavaScript patches

------------------

Django's admin system leverages the jQuery framework to increase the

capabilities of the admin interface. In conjunction, there is an emphasis on

admin javascript performance and minimizing overall admin media file size.

Serving compressed or "minified" versions of javascript files is considered

admin JavaScript performance and minimizing overall admin media file size.

Serving compressed or "minified" versions of JavaScript files is considered

best practice in this regard.

To that end, patches for javascript files should include both the original

To that end, patches for JavaScript files should include both the original

code for future development (e.g. ``foo.js``), and a compressed version for

production use (e.g. ``foo.min.js``). Any links to the file in the codebase

should point to the compressed version.

Compressing JavaScript

~~~~~~~~~~~~~~~~~~~~~~

To simplify the process of providing optimized javascript code, Django

To simplify the process of providing optimized JavaScript code, Django

includes a handy python script which should be used to create a "minified"

version. To run it::

Behind the scenes, ``compress.py`` is a front-end for Google's

`Closure Compiler`_ which is written in Java. However, the Closure Compiler

library is not bundled with Django directly, so those wishing to contribute

complete javascript patches will need to download and install the library

complete JavaScript patches will need to download and install the library

independently. The Closure Compiler library requires `Java`_ 7 or higher.

Please don't forget to run ``compress.py`` and include the ``diff`` of the

minified scripts when submitting patches for Django's javascript.

minified scripts when submitting patches for Django's JavaScript.

.. _Closure Compiler: https://developers.google.com/closure/compiler/

.. _list of tickets with patches: https://code.djangoproject.com/query?status=new&status=assigned&status=reopened&has_patch=1&order=priority

jQuery

~~~~~~

Django admin Javascript makes use of the `jQuery`_ library.

Django admin JavaScript makes use of the `jQuery`_ library.

To avoid conflicts with user-supplied scripts or libraries, Django's jQuery

(version 1.11.2) is namespaced as ``django.jQuery``. If you want to use jQuery

Logout                     ``logout``

Password change            ``password_change``

Password change done       ``password_change_done``

i18n javascript            ``jsi18n``

i18n JavaScript            ``jsi18n``

Application index page     ``app_list``              ``app_label``

Redirect to object's page  ``view_on_site``          ``content_type_id``, ``object_id``

=========================  ========================  ==================================

The CSRF middleware and template tag provides easy-to-use protection against

`Cross Site Request Forgeries`_.  This type of attack occurs when a malicious

Web site contains a link, a form button or some javascript that is intended to

Web site contains a link, a form button or some JavaScript that is intended to

perform some action on your Web site, using the credentials of a logged-in user

who visits the malicious site in their browser.  A related type of attack,

'login CSRF', where an attacking site tricks a user's browser into logging into

inconveniences: you have to remember to pass the CSRF token in as POST data with

every POST request. For this reason, there is an alternative method: on each

XMLHttpRequest, set a custom ``X-CSRFToken`` header to the value of the CSRF

token. This is often easier, because many javascript frameworks provide hooks

token. This is often easier, because many JavaScript frameworks provide hooks

that allow headers to be set on every request.

As a first step, you must get the CSRF token itself. The recommended source for

risk.

If your site serves user-uploaded files, a malicious user could upload a

specially-crafted file that would be interpreted as HTML or Javascript by

specially-crafted file that would be interpreted as HTML or JavaScript by

the browser when you expected it to be something harmless.

To learn more about this header and how the browser treats it, you can

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Some browsers have the ability to block content that appears to be an `XSS

attack`_. They work by looking for Javascript content in the GET or POST

parameters of a page. If the Javascript is replayed in the server's response,

attack`_. They work by looking for JavaScript content in the GET or POST

parameters of a page. If the JavaScript is replayed in the server's response,

the page is blocked from rendering and an error page is shown instead.

The `X-XSS-Protection header`_ is used to control the operation of the

Turning it on makes it less trivial for an attacker to escalate a cross-site

scripting vulnerability into full hijacking of a user's session. There's not

much excuse for leaving this off, either: if your code depends on reading

session cookies from Javascript, you're probably doing it wrong.

session cookies from JavaScript, you're probably doing it wrong.

.. _HTTPOnly: https://www.owasp.org/index.php/HTTPOnly