Personal blog of Miguel Araujo

Django-uni-form 0.9.0 is out [security fix]

Version 0.9.0 is out and you should update because of security reasons. An XSS bug has been fixed, thanks to Charlie Denton for reporting it. If you are using django-uni-form and a form field that renders the input of a field as part of the error message without sanitizing it, such as ChoiceField, you are vulnerable to it. This is because errors are rendered using |safe filter.

This has been addressed as fast as possible. Fixes for previous versions might come in the soon future. PyPi package has been update so you can do:

pip install --upgrade django-uni-form

This is the commit that introduced the security bug, as you can see it affects version 0.7.0 and forward versions.

I want to thank every contributor and user that has made this version rock even more than previous ones.

Bug fixes

It’s got support for show_hidden_initial, Fieldset’s legends internationalization, error_css_class and required_css_class. MultiField layout object has fixed markup and has been optimized.

Performance boost

The project has seen several performance tune ups, related to templates handling, that make it run blazing fast. You can run now django-uni-form without template caching only one second slower than the cached version.

Customizable templates

All layout objects have now an attribute named template that points to a template file. This template is in charge of how the rendering of the layout object. Using you custom templates for layout objects is not a hassle anymore.

Improved docs

The docs are on their way to be easier to grok for new comers. New sections have been added that explain some of the new 0.9.0 features and some of the most hidden features of django-uni-form. It’s got now more examples and use cases, that will hopefully resolve some of the most seen questions. For better readability we are now using kenneth Reitz kr sphinx themes, based on Flask themes, for read the docs.

Layout inheritance

If you have a layout shared by many forms, you will be able to do some neat layout inheritance with it. That will help you being more DRY.

Better organization

helpers.py file has been divided into three different files: helper.py, layout.py and utils.py. You can still import everything using helpers, but a deprecation warning has been added, so that you can start moving to the new importing structure. helper holds FormHelper class, layout holds the Layout class and layout objects, while utils holds render_field, an internal function used for rendering your django-uni-form layouts.

More tests and better test coverage

This is the only way we will be able to mantain the quality of this project and keep up the pace of faster release cycles.

blog comments powered by Disqus