Commit c51c9b3c authored by Aymeric Augustin's avatar Aymeric Augustin
Browse files

Moved two paragraphs from "deprecated features" to "backwards-incompatible... 

Moved two paragraphs from "deprecated features" to "backwards-incompatible changes", where they belong.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@17354 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent cd468630

docs/releases/1.4.txt

+16 −16
Original line number Diff line number Diff line
@@ -920,6 +920,22 @@ whose primary use is to load fixtures consisting of simple objects. Even though 
fixtures are trusted data, the YAML deserializer now uses ``yaml.safe_load``

for additional security.



Session cookies now have the ``httponly`` flag by default

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Session cookies now include the ``httponly`` attribute by default to

help reduce the impact of potential XSS attacks. For strict backwards

compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file.



The :tfilter:`urlize` filter no longer escapes every URL

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



When an URL contains a ``%xx`` sequence, where ``xx`` are two hexadecimal

digits, :tfilter:`urlize` assumes that the URL is already escaped, and doesn't

apply URL escaping again. This is wrong for URLs whose unquoted form contains

a ``%xx`` sequence, but such URLs are very unlikely to happen in the wild,

since they would confuse browsers too.



Features deprecated in 1.4

==========================
@@ -1053,22 +1069,6 @@ Now, the flags are keyword arguments of :meth:`@register.filter 


See :ref:`filters and auto-escaping <filters-auto-escaping>` for more information.



The :tfilter:`urlize` filter no longer escapes every URL

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



When an URL contains a ``%xx`` sequence, where ``xx`` are two hexadecimal

digits, :tfilter:`urlize` assumes that the URL is already escaped, and doesn't

apply URL escaping again. This is wrong for URLs whose unquoted form contains

a ``%xx`` sequence, but such URLs are very unlikely to happen in the wild,

since they would confuse browsers too.



Session cookies now have the ``httponly`` flag by default

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Session cookies now include the ``httponly`` attribute by default to

help reduce the impact of potential XSS attacks. For strict backwards

compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file.



Wildcard expansion of application names in `INSTALLED_APPS`

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~