10 years ago · dd0b487872
--- a/docs/releases/1.4.13.txt
+++ b/docs/releases/1.4.13.txt
@@ -39,7 +39,7 @@ Django relies on user input in some cases (e.g.
 
				 :func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
			
 
				 :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
			
 
				 The security checks for these redirects (namely
			
 
				-``django.util.http.is_safe_url()``) did not correctly validate some malformed
			
 
				+``django.utils.http.is_safe_url()``) did not correctly validate some malformed
			
 
				 URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers
			
 
				 with more liberal URL parsing.
			
 
				 
			
--- a/docs/releases/1.4.18.txt
+++ b/docs/releases/1.4.18.txt
@@ -37,7 +37,7 @@ Mitigated possible XSS attack via user-supplied redirect URLs
 
				 Django relies on user input in some cases (e.g.
			
 
				 :func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
			
 
				 to redirect the user to an "on success" URL. The security checks for these
			
 
				-redirects (namely ``django.util.http.is_safe_url()``) didn't strip leading
			
 
				+redirects (namely ``django.utils.http.is_safe_url()``) didn't strip leading
			
 
				 whitespace on the tested URL and as such considered URLs like
			
 
				 ``\njavascript:...`` safe. If a developer relied on ``is_safe_url()`` to
			
 
				 provide safe redirect targets and put such a URL into a link, they could suffer
			
--- a/docs/releases/1.4.6.txt
+++ b/docs/releases/1.4.6.txt
@@ -16,7 +16,7 @@ Django relies on user input in some cases (e.g.
 
				 :func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
			
 
				 :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
			
 
				 The security checks for these redirects (namely
			
 
				-``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)``
			
 
				+``django.utils.http.is_safe_url()``) didn't check if the scheme is ``http(s)``
			
 
				 and as such allowed ``javascript:...`` URLs to be entered. If a developer
			
 
				 relied on ``is_safe_url()`` to provide safe redirect targets and put such a
			
 
				 URL into a link, they could suffer from a XSS attack. This bug doesn't affect
			
--- a/docs/releases/1.5.2.txt
+++ b/docs/releases/1.5.2.txt
@@ -13,7 +13,7 @@ Django relies on user input in some cases (e.g.
 
				 :func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
			
 
				 :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
			
 
				 The security checks for these redirects (namely
			
 
				-``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)``
			
 
				+``django.utils.http.is_safe_url()``) didn't check if the scheme is ``http(s)``
			
 
				 and as such allowed ``javascript:...`` URLs to be entered. If a developer
			
 
				 relied on ``is_safe_url()`` to provide safe redirect targets and put such a
			
 
				 URL into a link, they could suffer from a XSS attack. This bug doesn't affect
			
--- a/docs/releases/1.5.8.txt
+++ b/docs/releases/1.5.8.txt
@@ -39,7 +39,7 @@ Django relies on user input in some cases (e.g.
 
				 :func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
			
 
				 :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
			
 
				 The security checks for these redirects (namely
			
 
				-``django.util.http.is_safe_url()``) did not correctly validate some malformed
			
 
				+``django.utils.http.is_safe_url()``) did not correctly validate some malformed
			
 
				 URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers
			
 
				 with more liberal URL parsing.
			
 
				 
			
--- a/docs/releases/1.6.10.txt
+++ b/docs/releases/1.6.10.txt
@@ -36,7 +36,7 @@ Mitigated possible XSS attack via user-supplied redirect URLs
 
				 Django relies on user input in some cases (e.g.
			
 
				 :func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
			
 
				 to redirect the user to an "on success" URL. The security checks for these
			
 
				-redirects (namely ``django.util.http.is_safe_url()``) didn't strip leading
			
 
				+redirects (namely ``django.utils.http.is_safe_url()``) didn't strip leading
			
 
				 whitespace on the tested URL and as such considered URLs like
			
 
				 ``\njavascript:...`` safe. If a developer relied on ``is_safe_url()`` to
			
 
				 provide safe redirect targets and put such a URL into a link, they could suffer
			
--- a/docs/releases/1.6.5.txt
+++ b/docs/releases/1.6.5.txt
@@ -39,7 +39,7 @@ Django relies on user input in some cases (e.g.
 
				 :func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
			
 
				 :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
			
 
				 The security checks for these redirects (namely
			
 
				-``django.util.http.is_safe_url()``) did not correctly validate some malformed
			
 
				+``django.utils.http.is_safe_url()``) did not correctly validate some malformed
			
 
				 URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers
			
 
				 with more liberal URL parsing.
			
 
				 
			
--- a/docs/releases/1.7.3.txt
+++ b/docs/releases/1.7.3.txt
@@ -36,7 +36,7 @@ Mitigated possible XSS attack via user-supplied redirect URLs
 
				 Django relies on user input in some cases (e.g.
			
 
				 :func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
			
 
				 to redirect the user to an "on success" URL. The security checks for these
			
 
				-redirects (namely ``django.util.http.is_safe_url()``) didn't strip leading
			
 
				+redirects (namely ``django.utils.http.is_safe_url()``) didn't strip leading
			
 
				 whitespace on the tested URL and as such considered URLs like
			
 
				 ``\njavascript:...`` safe. If a developer relied on ``is_safe_url()`` to
			
 
				 provide safe redirect targets and put such a URL into a link, they could suffer