The Wire · Showcase
DJANGO DOCS PATCH FIXES EMAIL SECURITY ANTIPATTERN IN FORMS GUIDE
By RepoJournal · Filed · About Django
Django's ContactForm documentation example was teaching developers to do exactly what you shouldn't do with user email addresses, and it's finally fixed.
The Forms topic reference docs just got a critical update that removes a textbook security mistake [1]. The old example was using user-provided sender addresses directly as `from_email`, which creates an open door for email spoofing and spam campaigns. Django maintainers renamed the field to `contact_email`, restricted it to `reply_to` only, and identified all outgoing mail as coming from the actual application address instead [2]. They also axed the `cc_myself` checkbox that let forms send arbitrary copies to users, replacing it with an `urgent` field to demonstrate `BooleanField` without the spam liability. This is the kind of quiet documentation fix that prevents a thousand production incidents. Stub release notes are now live for Django 6.0.7 and 5.2.16, signaling patches are locked in and shipping soon [3].
Action items
- → Review your ContactForm implementations against the updated docs pattern django/django [plan]
- → Check if your forms are using user-provided addresses in from_email fields django/django [plan]
References
- [1] Fixed #37162 -- Updated ContactForm docs example to use safe practices. ↗ django/django
- [2] Fixed #37162 -- Updated ContactForm docs example to use safe practices. django/django
- [3] Added stub release notes and release date for 6.0.7 and 5.2.16. django/django
FAQ
- What changed in Django on July 1, 2026?
- Django's ContactForm documentation example was teaching developers to do exactly what you shouldn't do with user email addresses, and it's finally fixed.
- What should Django teams do about it?
- Review your ContactForm implementations against the updated docs pattern • Check if your forms are using user-provided addresses in from_email fields
- Which Django repositories shipped on July 1, 2026?
- django/django