Nick Brunn reported a possible cross-site scripting vulnerability in python-django, a high-level Python web development framework. The is_safe_url utility function used to validate that a used URL is on the current host to avoid potentially dangerous redirects from maliciously-constructed querystrings, worked as intended for HTTP and HTTPS URLs, but permitted redirects to other schemes, such as javascript:. The is_safe_url function has been modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS, to prevent cross-site scripting attacks through redirecting to other schemes.