September 5, 2017
Django 1.11.5 fixes a security issue and several bugs in 1.11.4.
In older versions, HTML autoescaping was disabled in a portion of the template
for the technical 500 debug page. Given the right circumstances, this allowed
a cross-site scripting attack. This vulnerability shouldn't affect most
production sites since you shouldn't run with
DEBUG = True (which makes
this page accessible) in your production settings.
'use_returning_into': Falseis in the
DATABASES. The pre-1.11 naming scheme is now restored. Unfortunately, it necessarily requires an update to Oracle tables created with Django 1.11.[1-4]. Use the upgrade script in #28451 comment 8 to update sequence and trigger names to use the pre-1.11 naming scheme.
LogoutView, for equivalence with the function-based
SelectDateWidgetlocalized the years in the select box (#28530).
runservercrashed with non-Unicode system encodings on Python 2 + Windows (#28487).
ManyToManyFieldweren't logged in the admin change history (#27998) and prevented
ManyToManyFieldinitial data in model forms from being affected by subsequent model changes (#28543).
AssertionErrorcrash in some queries with multiple joins (#26522).
logout()views where they ignored positional arguments (#28550).