Fixed SQL Injection vulnerability, CVE-2021-30459. The toolbar now calculates a signature on all fields for the SQL select, explain, and analyze forms.
sameSite=Laxby default if callers do not provide a value.
PRETTIFY_SQLconfiguration option to support controlling SQL token grouping. By default it’s set to True. When set to False, a performance improvement can be seen by the SQL panel.
Fixed issue with toolbar expecting URL paths to start with /__debug__/ while the documentation indicates it’s not required.
Moved CI to GitHub Actions: https://github.com/jazzband/django-debug-toolbar/actions
Stopped crashing when
request.POSTare dictionaries instead of
QueryDictinstances. This isn’t a valid use of Django but django-debug-toolbar shouldn’t crash anyway.
Fixed a crash in the history panel when sending a JSON POST request with invalid JSON.
Added missing signals to the signals panel by default.
Verified support for Python 3.9.
jstemplate block to
debug_toolbar/base.htmlto allow overriding CSS and JS.
Replaced remaining images with CSS.
Continued refactoring the HTML and CSS code for simplicity, continued improving the use of semantic HTML.
Continued removing unused CSS.
Started running Selenium tests on Travis CI.
Added a system check which prevents using django-debug-toolbar without any enabled panels.
Panel.run_checks()for panels to verify the configuration before the application starts.
Validate the static file paths specified in
Introduced prettier to format the frontend code.
Started accessing history views using GET requests since they do not change state on the server.
Fixed a bug where unsuccessful requests (e.g. network errors) were silently ignored.
Started spellchecking the documentation.
Removed calls to the deprecated
request.is_ajax()method. These calls were unnecessary now that most endpoints return JSON anyway.
Removed support for Python 3.5.
Fixed a crash in the history panel when sending an empty JSON POST request.
make examplealso set up the database and a superuser account.
Added a Makefile target for regenerating the django-debug-toolbar screenshot.
Added automatic escaping of panel titles resp. disallowed HTML tags.
Removed some CSS
Restructured the SQL stats template.
Changed command line examples to prefer
python -m pipto
.editorconfigfile specifying indentation rules etc.
Updated the Italian translation.
Added support for Django 3.1a1.
jQuery.ajaxrequests are now detected by the absence of a
Accept: text/htmlheader instead of the jQuery-specific
X-Requested-Withheader on Django 3.1 or better.
Pruned unused CSS and removed hacks for ancient browsers.
Added the new
Switched from JSHint to ESLint. Added an ESLint job to the Travis CI matrix.
Updated the code to avoid a few deprecation warnings and resource warnings.
Added support for
cache.touch()when using django-debug-toolbar.
Eliminated more inline CSS.
Makefileto use isort>=5.
Increased RESULTS_CACHE_SIZE to 25 to better support AJAX requests.
Fixed the close button CSS by explicitly specifying the
isortconfiguration by taking advantage of isort’s
HistoryPanelincluding support for AJAX requests.
Backwards incompatible changes¶
Removed support for end of life Django 1.11. The minimum supported Django is now 2.2.
runserveris not impacted. However, if your application server and static files server are at different origins, you may see CORS errors in your browser’s development console. See the “Cross-Origin Request Blocked” section of the installation docs for details on how to resolve this issue.
Removed support for end of life Django 2.0 and 2.1.
Added support for Python 3.8.
Add locals() option for SQL panel.
Added support for Django 3.0.
Changed the Travis CI matrix to run style checks first.
Small improvements to the code to take advantage of newer Django APIs and avoid warnings because of deprecated code.
Verified compatibility with the upcoming Django 3.0 (at the time of writing).
StaticFilesPanelto be compatible with Django 3.0.
ProfilingPanelis now enabled but inactive by default.
Fixed toggling of table rows in the profiling panel UI.
ProfilingPanelno longer skips remaining panels or middlewares.
Improved the installation documentation.
Fixed a possible crash in the template panel.
Added support for psycopg2
Changed the Jinja2 tests to use Django’s own Jinja2 template backend.
Added instrumentation to queries using server side cursors.
Too many small improvements and cleanups to list them all.
Backwards incompatible changes¶
Removed support for Python 2.
Removed support for Django’s deprecated
debug_toolbar.panels.Panelto execute more like the new-style Django MIDDLEWARE. The
Panel.__init__()method is now passed
get_responseas the first positional argument. The
debug_toolbar.panels.Panel.process_request()method must now always return a response. Usually this is the response returned by
get_response()but the panel may also return a different response as is the case in the
RedirectsPanel. Third party panels must adjust to this new architecture.
Panel.process_view()have been removed as a result of this change.
The deprecated API,
debug_toolbar.panels.DebugPanel, has been removed.
Third party panels should use
The following deprecated settings have been removed:
Stop inlining images in CSS to avoid Content Security Policy errors altogether.
Reformatted the code using black.
Added the Django mail panel to the list of third-party panels.
Convert system check errors to warnings to accommodate exotic configurations.
Fixed a crash when explaining raw querysets.
Fixed an obscure Unicode error with binary data fields.
Added MariaDB and Python 3.7 builds to the CI.
Fixed a problem where the duplicate query detection breaks for unhashable query parameters.
Added support for structured types when recording SQL.
Made Travis CI also run one test no PostgreSQL.
Added fallbacks for inline images in CSS.
Improved cross-browser compatibility around
Fixed a few typos and redundancies in the documentation, removed mentions of django-debug-toolbar’s jQuery which aren’t accurate anymore.
Removed support for Django < 1.11.
Added support and testing for Django 2.1 and Python 3.7. No actual code changes were required.
Removed the jQuery dependency. This means that django-debug-toolbar now requires modern browsers with support for
JQUERY_URLsetting is also removed because it isn’t necessary anymore. If you depend on jQuery, integrate it yourself.
Added support for the server timing header.
Added a differentiation between similar and duplicate queries. Similar queries are what duplicate queries used to be (same SQL, different parameters).
Stopped hiding frames from Django’s contrib apps in stacktraces by default.
Lots of small cleanups and bug fixes.
ContentNotRenderedErrorraised by the redirects panel.
This version is compatible with Django 2.0 and requires Django 1.8 or later.
The profiling panel now escapes reported data resulting in valid HTML.
Many minor cleanups and bug fixes.
This version is compatible with Django 1.11 and requires Django 1.8 or later.
Backwards incompatible changes¶
debug_toolbar.middleware.show_toolbar(the default value of setting
SHOW_TOOLBAR_CALLBACK) no longer returns
Falsefor AJAX requests. This is to allow reusing the
SHOW_TOOLBAR_CALLBACKfunction to verify access to panel views requested via AJAX. Projects defining a custom
SHOW_TOOLBAR_CALLBACKshould remove checks for AJAX requests in order to continue to allow access to these panels.
debug_toolbar.decorators.require_show_toolbarprevents unauthorized access to decorated views by checking
SHOW_TOOLBAR_CALLBACKevery request. Unauthorized access results in a 404.
SKIP_TEMPLATE_PREFIXESsetting allows skipping templates in the templates panel. Template-based form widgets’ templates are skipped by default to avoid panel sizes going into hundreds of megabytes of HTML.
All views are now decorated with
debug_toolbar.decorators.require_show_toolbarpreventing unauthorized access.
The templates panel now reuses contexts’ pretty printed version which makes the debug toolbar usable again with Django 1.11’s template-based forms rendering.
Long SQL statements are now forcibly wrapped to fit on the screen.
Recursive template extension is now understood.
Deprecation warnings were fixed.
The SQL panel uses HMAC instead of simple hashes to verify that SQL statements have not been changed. Also, the handling of bytes and text for hashing has been hardened. Also, a bug with Python’s division handling has been fixed for improved Python 3 support.
An error with django-jinja has been fixed.
A few CSS classes have been prefixed with
djdt-to avoid conflicting class names.
The debug toolbar was adopted by Jazzband.
Support for automatic setup has been removed as it was frequently problematic. Installation now requires explicit setup. The
DEBUG_TOOLBAR_PATCH_SETTINGSsetting has also been removed as it is now unused. See the installation documentation for details.
DebugToolbarMiddlewarenow also supports Django 1.10’s
This version is compatible with Django 1.10 and requires Django 1.8 or later.
Support for Python 3.2 is dropped.
Restore compatibility with sqlparse ≥ 0.2.0.
Add compatibility with Bootstrap 4, Pure CSS, MDL, etc.
Improve compatibility with RequireJS / AMD.
Improve the UI slightly.
Fix invalid (X)HTML.
This version is compatible with Django 1.9 and requires Django 1.7 or later.
New panel method
debug_toolbar.panels.Panel.generate_stats()allows panels to only record stats when the toolbar is going to be inserted into the response.
Response time for requests of projects with numerous media files has been improved.
This is the first version compatible with Django 1.8.
A new panel is available: Template Profiler.
SHOW_TOOLBAR_CALLBACKaccepts a callable.
The toolbar handle cannot leave the visible area anymore when the toolbar is collapsed.
The root level logger is preserved.
RESULTS_CACHE_SIZEsetting is taken into account.
CSS classes are prefixed with
djdt-to prevent name conflicts.
The private copy of jQuery no longer registers as an AMD module on sites that load RequireJS.
JQUERY_URLsetting defines where the toolbar loads jQuery from.
The toolbar now always loads a private copy of jQuery in order to avoid using an incompatible version. It no longer attempts to integrate with AMD.
This private copy is available in
djdt.jQuery. Third-party panels are encouraged to use it because it should be as stable as the toolbar itself.
This is the first version compatible with Django 1.7.
The SQL panel colors queries depending on the stack level.
The Profiler panel allows configuring the maximum depth.
Support languages where lowercase and uppercase strings may have different lengths.
Allow using cursor as context managers.
Make the SQL explain more helpful on SQLite.
INTERCEPT_REDIRECTSsetting is superseded by the more generic
This is the first stable version of the Debug Toolbar!
It includes many new features and performance improvements as well a few backwards-incompatible changes to make the toolbar easier to deploy, use, extend and maintain in the future.
You’re strongly encouraged to review the installation and configuration docs and redo the setup in your projects.
Third-party panels will need to be updated to work with this version.