===========================Django 1.4.20 release notes===========================*March 18, 2015*Django 1.4.20 fixes one security issue in 1.4.19.Mitigated possible XSS attack via user-supplied redirect URLs=============================================================Django relies on user input in some cases (e.g.``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)to redirect the user to an "on success" URL. The security checks for theseredirects (namely ``django.utils.http.is_safe_url()``) accepted URLs withleading control characters and so considered URLs like ``\x08javascript:...``safe. This issue doesn't affect Django currently, since we only put this URLinto the ``Location`` response header and browsers seem to ignore JavaScriptthere. Browsers we tested also treat URLs prefixed with control characters suchas ``%08//example.com`` as relative paths so redirection to an unsafe targetisn't a problem either.However, if a developer relies on ``is_safe_url()`` toprovide safe redirect targets and puts such a URL into a link, they couldsuffer from an XSS attack as some browsers such as Google Chrome ignore controlcharacters at the start of a URL in an anchor ``href``.