docs/upgrade/3.2.4.rst from divio/django-cms

docs/upgrade/3.2.4.rst
Summary

Maintainability

Test Coverage

Issues
.. _upgrade-to-3.2.4:

###################
3.2.4 release notes
###################

*******************
What's new in 3.2.4
*******************

Bug Fixes
=========

* Fix cache settings
* Fix user lookup for view restrictions/page permissions when using raw id field
* Fixed regression when page couldn't be copied if CMS_PERMISSION was False
* Fixes an issue relating to uninstalling a namespaced application
* Adds "Can change page" permission
* Fixes a number of page-tree issues the could lead data corruption under
  certain conditions
* Addresses security vulnerabilities in the `render_model` template tag that
  could lead to escalation of privileges or other security issues.
* Addresses a security vulnerability in the cms' usage of the messages framework
* Fixes security vulnerabilities in custom FormFields that could lead to
  escalation of privileges or other security issues.

.. important::

    This version of django CMS introduces a new setting:
    ``CMS_UNESCAPED_RENDER_MODEL_TAGS`` with a default value of ``True``. This default
    value allows upgrades to occur without forcing django CMS users to do
    anything, but, please be aware that this setting continues to allow known
    security vulnerabilities to be present. Due to this, the new setting is
    immediately deprecated and will be removed in a near-future release.

    To immediately improve the security of your project and to prepare for
    future releases of django CMS and related addons, the project
    administrator should carefully review each use of the ``render_model``
    template tags provided by django CMS. He or she is encouraged to ensure
    that all content which is rendered to a page using this template tag is
    cleansed of any potentially harmful HTML markup, CSS styles or JavaScript.
    Once the administrator or developer is satisfied that the content is
    clean, he or she can add the "safe" filter parameter to the render_model
    template tag if the content should be rendered without escaping. If there
    is no need to render the content unescaped, no further action
    is required.

    Once all template tags have been reviewed and adjusted where necessary,
    the administrator should set ``CMS_UNESCAPED_RENDER_MODEL_TAGS = False``
    in the project settings. At that point, the project is more secure and
    will be ready for any future upgrades.


DjangoCMS Text CKEditor
=======================

Action required
---------------

CMS 3.2.1 is not compatible with djangocms-text-ckeditor < 2.8.1.
If you're using djangocms-text-ckeditor, please upgrade to 2.8.1 or later.