summaryrefslogtreecommitdiff
path: root/docs/whatsnew-1.1.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/whatsnew-1.1.rst')
-rw-r--r--docs/whatsnew-1.1.rst13
1 files changed, 13 insertions, 0 deletions
diff --git a/docs/whatsnew-1.1.rst b/docs/whatsnew-1.1.rst
index 533ae3637..172a20343 100644
--- a/docs/whatsnew-1.1.rst
+++ b/docs/whatsnew-1.1.rst
@@ -75,6 +75,10 @@ Default HTTP Exception View
Minor Feature Additions
-----------------------
+- New authentication policy:
+ :class:`pyramid.authentication.SessionAuthenticationPolicy`, which uses a
+ session to store credentials.
+
- A function named :func:`pyramid.httpexceptions.responsecode` is a shortcut
that can be used to create HTTP exception response objects using an HTTP
integer status code.
@@ -116,6 +120,15 @@ Minor Feature Additions
Deprecations and Behavior Differences
-------------------------------------
+- The default Mako renderer is now configured to escape all HTML in
+ expression tags. This is intended to help prevent XSS attacks caused by
+ rendering unsanitized input from users. To revert this behavior in user's
+ templates, they need to filter the expression through the 'n' filter::
+
+ ${ myhtml | n }.
+
+ See https://github.com/Pylons/pyramid/issues/193.
+
- Deprecated all assignments to ``request.response_*`` attributes (for
example ``request.response_content_type = 'foo'`` is now deprecated).
Assignments and mutations of assignable request attributes that were
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-10 23:18:59 +0000