diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/whatsnew-1.1.rst | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/docs/whatsnew-1.1.rst b/docs/whatsnew-1.1.rst index ea56e2020..761fa8d3a 100644 --- a/docs/whatsnew-1.1.rst +++ b/docs/whatsnew-1.1.rst @@ -94,6 +94,15 @@ Minor Feature Additions Deprecations and Behavior Differences ------------------------------------- +- The default Mako renderer is now configured to escape all HTML in + expression tags. This is intended to help prevent XSS attacks caused by + rendering unsanitized input from users. To revert this behavior in user's + templates, they need to filter the expression through the 'n' filter:: + + ${ myhtml | n }. + + See https://github.com/Pylons/pyramid/issues/193. + - Deprecated all assignments to ``request.response_*`` attributes (for example ``request.response_content_type = 'foo'`` is now deprecated). Assignments and mutations of assignable request attributes that were |