Hello. I sent a e-mail to the django security list last Friday about a XSS vulnerability in newforms. The bug was fixed on Monday in SVN revision 4460.
Adrian and Jacob didn't think that it was worth posting to django-announce about it, since it only affects newforms. The justification given was that newforms is mostly undocumented and bleeding-edge, so there won't be many people using it. I'm disconcerted about this, because I'm planning to launch my own newforms-based app in a matter of weeks and I'd much rather not have to check the Subversion logs to find out about any security bugs. I decided to use newforms for my project based on these two statements on the Django web site: "The legacy forms/manipulators system described in this document is going to be replaced in the next Django release. If you're starting from scratch, we strongly encourage you not to waste your time learning this. Instead, learn and use the django.newforms system, which we have begun to document in the newforms documentation." "Should I use the official version or development version? The Django developers improve Django every day and are pretty good about not checking in broken code. We use the development code (from the Subversion repository) directly on our servers, so we consider it stable. With that in mind, we recommend that you use the latest development code, because it generally contains more features and fewer bugs than the "official" releases." I wasn't able to convince the core developers that this is important, so I thought I'd solicit some opinions here: Should newforms security fixes be posted to django-announce? Thanks. -- Jon --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
