Merge branch 'master' of github.com:Pylons/pyramid

2 files changed, 10 insertions, 1 deletions

diff --git a/docs/narr/project.rst b/docs/narr/project.rst
index c1558266a..e60708b6d 100644
--- a/docs/narr/project.rst
+++ b/docs/narr/project.rst
@@ -628,7 +628,7 @@ implementations.
 ``production.ini``
 ~~~~~~~~~~~~~~~~~~~
 
-The ``development.ini`` file is a :term:`PasteDeploy` configuration file with
+The ``production.ini`` file is a :term:`PasteDeploy` configuration file with
 a purpose much like that of ``development.ini``.  However, it disables the
 WebError interactive debugger, replacing it with a logger which outputs
 exception messages to ``stderr`` by default.  It also turns off template
diff --git a/docs/whatsnew-1.1.rst b/docs/whatsnew-1.1.rst
index ea56e2020..761fa8d3a 100644
--- a/docs/whatsnew-1.1.rst
+++ b/docs/whatsnew-1.1.rst
@@ -94,6 +94,15 @@ Minor Feature Additions
 Deprecations and Behavior Differences
 -------------------------------------
 
+- The default Mako renderer is now configured to escape all HTML in
+  expression tags. This is intended to help prevent XSS attacks caused by
+  rendering unsanitized input from users. To revert this behavior in user's
+  templates, they need to filter the expression through the 'n' filter::
+
+     ${ myhtml | n }.
+
+  See https://github.com/Pylons/pyramid/issues/193.
+
 - Deprecated all assignments to ``request.response_*`` attributes (for
   example ``request.response_content_type = 'foo'`` is now deprecated).
   Assignments and mutations of assignable request attributes that were