Django 1.7.7 release notes

    Django 1.7.7 fixes several bugs and security issues in 1.7.6.

    To remedy this issue, strip_tags() will now return the original input if it detects the length of the string it’s processing increases. Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a call without escaping it first, for example with escape().

    However, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack as some browsers such as Google Chrome ignore control characters at the start of a URL in an anchor href.

    • Stopped writing migration files in dry run mode when merging migration conflicts. When makemigrations --merge is called with verbosity=3 the migration file is written to ().