@@ -120,7 +120,7 @@

var selects = django.jQuery(selectsSelector);

selects.find('option').each(function() {

if (this.value === objId) {

this.innerHTML = newRepr;

this.textContent = newRepr;

this.value = newId;

}

});

@@ -631,13 +631,13 @@ def default_urlconf(request):

var s = link.getElementsByTagName('span')[0];

var uarr = String.fromCharCode(0x25b6);

var darr = String.fromCharCode(0x25bc);

s.innerHTML = s.innerHTML == uarr ? darr : uarr;

s.textContent = s.textContent == uarr ? darr : uarr;

return false;

}

function switchPastebinFriendly(link) {

s1 = "Switch to copy-and-paste view";

s2 = "Switch back to interactive view";

link.innerHTML = link.innerHTML.trim() == s1 ? s2: s1;

link.textContent = link.textContent.trim() == s1 ? s2: s1;

toggle('browserTraceback', 'pastebinTraceback');

return false;

}

@@ -2,9 +2,20 @@

Django 1.8.14 release notes

===========================

*Under development*

*July 18, 2016*

Django 1.8.14 fixes several bugs in 1.8.13.

Django 1.8.14 fixes a security issue and a bug in 1.8.13.

XSS in admin's add/change related popup

=======================================

Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the

admin's add/change related popup. ``Element.textContent`` is now used to

prevent execution of the data.

The debug view also used ``innerHTML``. Although a security issue wasn't

identified there, out of an abundance of caution it's also updated to use

``textContent``.

Bugfixes

========

@@ -2,9 +2,20 @@

Django 1.9.8 release notes

==========================

*Under development*

*July 18, 2016*

Django 1.9.8 fixes several bugs in 1.9.7.

Django 1.9.8 fixes a security issue and several bugs in 1.9.7.

XSS in admin's add/change related popup

=======================================

Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the

admin's add/change related popup. ``Element.textContent`` is now used to

prevent execution of the data.

The debug view also used ``innerHTML``. Although a security issue wasn't

identified there, out of an abundance of caution it's also updated to use

``textContent``.

Bugfixes

========

@@ -17,13 +17,17 @@

from django.utils.encoding import python_2_unicode_compatible

@python_2_unicode_compatible

class Section(models.Model):

"""

A simple section that links to articles, to test linking to related items

in admin views.

"""

name = models.CharField(max_length=100)

def __str__(self):

return self.name

@property

def name_property(self):

"""

@@ -4625,8 +4625,10 @@ def test_list_editable_popups(self):

"""

list_editable foreign keys have add/change popups.

"""

from selenium.webdriver.support.ui import Select

s1 = Section.objects.create(name='Test section')

Article.objects.create(

title='foo',

content='<p>Middle content</p>',

date=datetime.datetime(2008, 3, 18, 11, 54, 58),

section=s1,

@@ -4638,8 +4640,13 @@ def test_list_editable_popups(self):

self.wait_for_popup()

self.selenium.switch_to.window(self.selenium.window_handles[-1])

self.wait_for_text('#content h1', 'Change section')

self.selenium.close()

name_input = self.selenium.find_element_by_id('id_name')

name_input.clear()

name_input.send_keys('<i>edited section</i>')

self.selenium.find_element_by_xpath('//input[@value="Save"]').click()

self.selenium.switch_to.window(self.selenium.window_handles[0])

select = Select(self.selenium.find_element_by_id('id_form-0-section'))

self.assertEqual(select.first_selected_option.text, '<i>edited section</i>')

# Add popup

self.selenium.find_element_by_id('add_id_form-0-section').click()