Commits

Mark Lavin committed 1e8b69d

Documentation and release notes on fix for #63.

  • Participants
  • Parent commits b5a5f9d
  • Branches stable

Comments (0)

Files changed (2)

File docs/lookups.rst

 
     By default ``format_item`` creates a dictionary with the three keys used by
     the UI plugin: id, value, label. These are generated from the calls to
-    ``get_item_id``, ``get_item_value``, and ``get_item_label``. If you want to
+    ``get_item_id``, ``get_item_value`` and ``get_item_label``. If you want to
     add additional keys you should add them here.
 
+    The results of ``get_item_id``, ``get_item_value`` and ``get_item_label`` are
+    conditionally escaped to prevent Cross Site Scripting (XSS) similar to the templating
+    language. If you know that the content is safe and you want to use these methods
+    to include HTML should mark the content as safe with ``django.utils.safestring.mark_safe``
+    inside the ``get_item_*`` methods.
+
     :param item: An item from the search results.
     :return: A dictionary of information for this item to be sent back to the client.
 

File docs/releases.rst

 Release Notes
 ==================
 
+v0.5.2 (Released 2012-06-27)
+--------------------------------------
+
+Bug Fixes
+_________________
+
+- Fixed XSS flaw with lookup ``get_item_*`` methods. Thanks slafs for the report.
+
+
 v0.5.1 (Released 2012-06-08)
 --------------------------------------