What changed
- make sure map geojson view honour share_status
- move all views permissions to decorators
- escape strings coming from translators
- sanitize vars in templates when source is untrusted
- always redirect to user_dashboard after map delete
- set CSRF_COOKIE_SECURE and SESSION_COOKIE_SECURE to True by default
- use ipaddress to validate private IPs
- proper way to call URLValidator
- remove showcase map/view
Thanks Stefan Vink from Radically Open Security for finding those issues.
Thanks NLnet for funding this security audit work.