diff options
| author | Tom Christie | 2014-11-03 11:39:54 +0000 |
|---|---|---|
| committer | Tom Christie | 2014-11-03 11:39:54 +0000 |
| commit | 37845968cd66e6372bbc22fd3ced131dff3b824a (patch) | |
| tree | 34db0df33db4fe4db7fe1cafde1ae71ac0a19f14 | |
| parent | 37b0995c8bc90243fe85054af6d1e4df67dcc4e4 (diff) | |
| parent | 650a91ac24cbd3e5b4ad5d7d7c6706fdf6160a78 (diff) | |
| download | django-rest-framework-37845968cd66e6372bbc22fd3ced131dff3b824a.tar.bz2 | |
Merge master
| -rw-r--r-- | docs/topics/release-notes.md | 10 | ||||
| -rw-r--r-- | rest_framework/templatetags/rest_framework.py | 4 |
2 files changed, 12 insertions, 2 deletions
diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md index 4fa3d627..88780c3f 100644 --- a/docs/topics/release-notes.md +++ b/docs/topics/release-notes.md @@ -40,6 +40,16 @@ You can determine your currently installed version using `pip freeze`: ## 2.4.x series +### 2.4.4 + +**Date**: [3rd November 2014](https://github.com/tomchristie/django-rest-framework/issues?q=milestone%3A%222.4.4+Release%22+). + +* **Security fix**: Escape URLs when replacing `format=` query parameter, as used in dropdown on `GET` button in browsable API to allow explicit selection of JSON vs HTML output. +* Maintain ordering of URLs in API root view for `DefaultRouter`. +* Fix `follow=True` in `APIRequestFactory` +* Resolve issue with invalid `read_only=True`, `required=True` fields being automatically generated by `ModelSerializer` in some cases. +* Resolve issue with `OPTIONS` requests returning incorrect information for views using `get_serializer_class` to dynamically determine serializer based on request method. + ### 2.4.3 **Date**: [19th September 2014](https://github.com/tomchristie/django-rest-framework/issues?q=milestone%3A%222.4.3+Release%22+). diff --git a/rest_framework/templatetags/rest_framework.py b/rest_framework/templatetags/rest_framework.py index 7251f071..f1825a24 100644 --- a/rest_framework/templatetags/rest_framework.py +++ b/rest_framework/templatetags/rest_framework.py @@ -23,7 +23,7 @@ def replace_query_param(url, key, val): query_dict = QueryDict(query).copy() query_dict[key] = val query = query_dict.urlencode() - return escape(urlparse.urlunsplit((scheme, netloc, path, query, fragment))) + return urlparse.urlunsplit((scheme, netloc, path, query, fragment)) # Regex for adding classes to html snippets @@ -83,7 +83,7 @@ def add_query_param(request, key, val): """ iri = request.get_full_path() uri = iri_to_uri(iri) - return replace_query_param(uri, key, val) + return escape(replace_query_param(uri, key, val)) @register.filter |