Switch to default-escaped in templates.

This means any variable used in a template is automatically HTML-escaped, unless it is marked as safe either in code by using a SafeString, or in the template with the `mark_safe` function or the `safe` filter.
author: Matthew Somerville <matthew@mysociety.org> 2019-11-26 17:09:56 +0000
committer: Matthew Somerville <matthew@mysociety.org> 2019-12-09 09:38:03 +0000
commit: 6c2d3d5a7d84521d34daa2cf7e4be76a54b3b0e0 (patch)
tree: 75ef8cd6e1df444572ae5ec3a4048e6c3366a088 /CHANGELOG.md
parent: a4290acdff6781979cc3cd7c0142d553236e5666 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 283eff424..c74c48f2a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,7 @@
     - Security:
         - Fix XSS vulnerability in pagination page number.
         - Rotate session ID after successful login.
+        - Switch to auto-escaping of all template variables (see below).
     - Front end improvements:
         - Improved 403 message, especially for private reports. #2511
         - Mobile users can now filter the pins on the `/around` map view. #2366
@@ -77,6 +78,10 @@
         - Add support for account_id parameter to POST Service Request calls.
         - Do not overwrite/remove protected meta data. #2598
         - Spot multiple groups inside a <groups> element.
+    - Backwards incompatible changes:
+        - The FixMyStreet templating code will now escape all variables by
+          default. If you need to output HTML in a variable directly, you will
+          need to escape it with the `safe` filter, e.g. `[% some_html | safe %]`.
 
 * v2.6 (3rd May 2019)
     - New features:
author	Matthew Somerville <matthew@mysociety.org>	2019-11-26 17:09:56 +0000
committer	Matthew Somerville <matthew@mysociety.org>	2019-12-09 09:38:03 +0000
commit	6c2d3d5a7d84521d34daa2cf7e4be76a54b3b0e0 (patch)
tree	75ef8cd6e1df444572ae5ec3a4048e6c3366a088 /CHANGELOG.md
parent	a4290acdff6781979cc3cd7c0142d553236e5666 (diff)