diff options
Diffstat (limited to 'CHANGES.txt')
| -rw-r--r-- | CHANGES.txt | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index 0992af9ef..9dd1af2c5 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -37,9 +37,15 @@ Documentation - Added "What's New in Pyramid 1.1" to HTML rendering of documentation. +- Added API docs for ``pyramid.authentication.SessionAuthenticationPolicy``. + Features -------- +- New authentication policy: + ``pyramid.authentication.SessionAuthenticationPolicy``, which uses a session + to store credentials. + - Accessing the ``response`` attribute of a ``pyramid.request.Request`` object (e.g. ``request.response`` within a view) now produces a new ``pyramid.response.Response`` object. This feature is meant to be used @@ -230,6 +236,13 @@ Deprecations Behavior Changes ---------------- +- The default Mako renderer is now configured to escape all HTML in + expression tags. This is intended to help prevent XSS attacks caused by + rendering unsanitized input from users. To revert this behavior in user's + templates, they need to filter the expression through the 'n' filter. + For example, ${ myhtml | n }. + See https://github.com/Pylons/pyramid/issues/193. + - A custom request factory is now required to return a response object that has a ``response`` attribute (or "reified"/lazy property) if they the request is meant to be used in a view that uses a renderer. This |