Django 1.6.11 release notes

    Django 1.6.11 fixes two security issues in 1.6.10.

    To remedy this issue, strip_tags() will now return the original input if it detects the length of the string it’s processing increases. Remember that absolutely NO guarantee is provided about the results of being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with .

    Mitigated possible XSS attack via user-supplied redirect URLs

    However, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack as some browsers such as Google Chrome ignore control characters at the start of a URL in an anchor href.