Flask

------------

Released 2013-06-13, codename Limoncello

- Changed default cookie serialization format from pickle to JSON to
limit the impact an attacker can do if the secret key leaks.
- Added ``template_test`` methods in addition to the already existing
``template_filter`` method family.
- Added ``template_global`` methods in addition to the already
existing ``template_filter`` method family.
- Set the content-length header for x-sendfile.
- ``tojson`` filter now does not escape script blocks in HTML5
parsers.
- ``tojson`` used in templates is now safe by default. This was
allowed due to the different escaping behavior.
- Flask will now raise an error if you attempt to register a new
function on an already used endpoint.
- Added wrapper module around simplejson and added default
serialization of datetime objects. This allows much easier
customization of how JSON is handled by Flask or any Flask
extension.
- Removed deprecated internal ``flask.session`` module alias. Use
``flask.sessions`` instead to get the session module. This is not to
be confused with ``flask.session`` the session proxy.
- Templates can now be rendered without request context. The behavior
is slightly different as the ``request``, ``session`` and ``g``
objects will not be available and blueprint's context processors are
not called.
- The config object is now available to the template as a real global
and not through a context processor which makes it available even in
imported templates by default.
- Added an option to generate non-ascii encoded JSON which should
result in less bytes being transmitted over the network. It's
disabled by default to not cause confusion with existing libraries
that might expect ``flask.json.dumps`` to return bytes by default.
- ``flask.g`` is now stored on the app context instead of the request
context.
- ``flask.g`` now gained a ``get()`` method for not erroring out on
non existing items.
- ``flask.g`` now can be used with the ``in`` operator to see what's
defined and it now is iterable and will yield all attributes stored.
- ``flask.Flask.request_globals_class`` got renamed to
``flask.Flask.app_ctx_globals_class`` which is a better name to what
it does since 0.10.
- ``request``, ``session`` and ``g`` are now also added as proxies to
the template context which makes them available in imported
templates. One has to be very careful with those though because
usage outside of macros might cause caching.
- Flask will no longer invoke the wrong error handlers if a proxy
exception is passed through.
- Added a workaround for chrome's cookies in localhost not working as
intended with domain names.
- Changed logic for picking defaults for cookie values from sessions
to work better with Google Chrome.
- Added ``message_flashed`` signal that simplifies flashing testing.
- Added support for copying of request contexts for better working
with greenlets.
- Removed custom JSON HTTP exception subclasses. If you were relying
on them you can reintroduce them again yourself trivially. Using
them however is strongly discouraged as the interface was flawed.
- Python requirements changed: requiring Python 2.6 or 2.7 now to
prepare for Python 3.3 port.
- Changed how the teardown system is informed about exceptions. This
is now more reliable in case something handles an exception halfway
through the error handling process.
- Request context preservation in debug mode now keeps the exception
information around which means that teardown handlers are able to
distinguish error from success cases.
- Added the ``JSONIFY_PRETTYPRINT_REGULAR`` configuration variable.
- Flask now orders JSON keys by default to not trash HTTP caches due
to different hash seeds between different workers.
- Added ``appcontext_pushed`` and ``appcontext_popped`` signals.
- The builtin run method now takes the ``SERVER_NAME`` into account
when picking the default port to run on.
- Added ``flask.request.get_json()`` as a replacement for the old
``flask.request.json`` property.

-----------

Released 2012-07-01, codename Campari

- The ``Request.on_json_loading_failed`` now returns a JSON formatted
response by default.
- The ``url_for`` function now can generate anchors to the generated
links.
- The ``url_for`` function now can also explicitly generate URL rules
specific to a given HTTP method.
- Logger now only returns the debug log setting if it was not set
explicitly.
- Unregister a circular dependency between the WSGI environment and
the request object when shutting down the request. This means that
environ ``werkzeug.request`` will be ``None`` after the response was
returned to the WSGI server but has the advantage that the garbage
collector is not needed on CPython to tear down the request unless
the user created circular dependencies themselves.
- Session is now stored after callbacks so that if the session payload
is stored in the session you can still modify it in an after request
callback.
- The ``Flask`` class will avoid importing the provided import name if
it can (the required first parameter), to benefit tools which build
Flask instances programmatically. The Flask class will fall back to
using import on systems with custom module hooks, e.g. Google App
Engine, or when the import name is inside a zip archive (usually an
egg) prior to Python 2.7.
- Blueprints now have a decorator to add custom template filters
application wide, ``Blueprint.app_template_filter``.
- The Flask and Blueprint classes now have a non-decorator method for
adding custom template filters application wide,
``Flask.add_template_filter`` and
``Blueprint.add_app_template_filter``.
- The ``get_flashed_messages`` function now allows rendering flashed
message categories in separate blocks, through a ``category_filter``
argument.
- The ``Flask.run`` method now accepts ``None`` for ``host`` and
``port`` arguments, using default values when ``None``. This allows
for calling run using configuration values, e.g.
``app.run(app.config.get('MYHOST'), app.config.get('MYPORT'))``,
with proper behavior whether or not a config file is provided.
- The ``render_template`` method now accepts a either an iterable of
template names or a single template name. Previously, it only
accepted a single template name. On an iterable, the first template
found is rendered.
- Added ``Flask.app_context`` which works very similar to the request
context but only provides access to the current application. This
also adds support for URL generation without an active request
context.
- View functions can now return a tuple with the first instance being
an instance of ``Response``. This allows for returning
``jsonify(error="error msg"), 400`` from a view function.
- ``Flask`` and ``Blueprint`` now provide a ``get_send_file_max_age``
hook for subclasses to override behavior of serving static files
from Flask when using ``Flask.send_static_file`` (used for the
default static file handler) and ``helpers.send_file``. This hook is
provided a filename, which for example allows changing cache
controls by file extension. The default max-age for ``send_file``
and static files can be configured through a new
``SEND_FILE_MAX_AGE_DEFAULT`` configuration variable, which is used
in the default ``get_send_file_max_age`` implementation.
- Fixed an assumption in sessions implementation which could break
message flashing on sessions implementations which use external
storage.
- Changed the behavior of tuple return values from functions. They are
no longer arguments to the response object, they now have a defined
meaning.
- Added ``Flask.request_globals_class`` to allow a specific class to
be used on creation of the ``g`` instance of each request.
- Added ``required_methods`` attribute to view functions to force-add
methods on registration.
- Added ``flask.after_this_request``.
- Added ``flask.stream_with_context`` and the ability to push contexts
multiple times without producing unexpected behavior.

-------------

Released 2012-07-01

- Fixed an issue with the undocumented ``flask.session`` module to not
work properly on Python 2.5. It should not be used but did cause
some problems for package managers.

-----------

Released 2011-09-29, codename Rakija

- Refactored session support into a session interface so that the
implementation of the sessions can be changed without having to
override the Flask class.
- Empty session cookies are now deleted properly automatically.
- View functions can now opt out of getting the automatic OPTIONS
implementation.
- HTTP exceptions and Bad Request errors can now be trapped so that
they show up normally in the traceback.
- Flask in debug mode is now detecting some common problems and tries
to warn you about them.
- Flask in debug mode will now complain with an assertion error if a
view was attached after the first request was handled. This gives
earlier feedback when users forget to import view code ahead of
time.
- Added the ability to register callbacks that are only triggered once
at the beginning of the first request with
``Flask.before_first_request``.
- Malformed JSON data will now trigger a bad request HTTP exception
instead of a value error which usually would result in a 500
internal server error if not handled. This is a backwards
incompatible change.
- Applications now not only have a root path where the resources and
modules are located but also an instance path which is the
designated place to drop files that are modified at runtime (uploads
etc.). Also this is conceptually only instance depending and outside
version control so it's the perfect place to put configuration files
etc.
- Added the ``APPLICATION_ROOT`` configuration variable.
- Implemented ``TestClient.session_transaction`` to easily modify
sessions from the test environment.
- Refactored test client internally. The ``APPLICATION_ROOT``
configuration variable as well as ``SERVER_NAME`` are now properly
used by the test client as defaults.
- Added ``View.decorators`` to support simpler decorating of pluggable
(class-based) views.
- Fixed an issue where the test client if used with the "with"
statement did not trigger the execution of the teardown handlers.
- Added finer control over the session cookie parameters.
- HEAD requests to a method view now automatically dispatch to the
``get`` method if no handler was implemented.
- Implemented the virtual ``flask.ext`` package to import extensions
from.
- The context preservation on exceptions is now an integral component
of Flask itself and no longer of the test client. This cleaned up
some internal logic and lowers the odds of runaway request contexts
in unittests.
- Fixed the Jinja2 environment's ``list_templates`` method not
returning the correct names when blueprints or modules were
involved.

-------------

Released 2011-07-06

- Fixed an issue with URL processors not properly working on
blueprints.

-------------

Released 2011-06-29

- Added missing future import that broke 2.5 compatibility.
- Fixed an infinite redirect issue with blueprints.