django-jsonform 2.10.1 release notes
====================================


Jun 10, 2022
------------

django-jsonform v2.10.1 fixes a "high" severity security vulnerability which affects
all previous versions.


XSS (Cross Site Scripting) vulnerability in the admin form
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

django-jsonform stores the raw JSON data of the database field in a hidden
``textarea`` on the admin page.

However, that data was kept in the ``textarea`` after unescaping it using the
``safe`` template filter. This opens up possibilities for XSS attacks.

This only affects the admin pages where the django-jsonform is rendered.