updated changes and upgrading doc

Author: cmeerw

CHANGES.txt

@@ -81,8 +81,8 @@ Fixed:
   input field was translated. (Reported by Ludwig Reiter. John
   Rouillard)
 - Document security issues in xmlrpc interface in doc/xmlrpc.txt.
-- Fixed escaping and encoding issues in jinja2 template. (Report:
-  John Rouillard; Fix: Christof Meerwald)
+- Enable autoescape in the jinja2 template and use the i18n extension
+  for translations. (Report: John Rouillard; Fix: Christof Meerwald)
 
 2019-10-23 2.0.0 alpha 0
 

doc/upgrading.txt

@@ -258,6 +258,20 @@ diff/merge these changes into your responsive template based tracker.
 Jinja template changes
 ----------------------
 
+Auto escaping has been enabled in the jinja template engine, this
+means it is no longer necessary to manually escape dynamic strings
+with "|e", but strings that should not be escaped need to be marked
+with "|safe" (e.g. "{{ context.history()|u|safe }}"). Also, the i18n
+extension has been enabled and the template has been updated to use
+the extension for translatable text instead of explicit "i18n.gettext"
+calls:
+
+   {% trans %}List of issues{% endtrans %}
+
+instead of
+
+   {{ i18n.gettext('List of issues')|u }}
+
 The jinja template has been upgraded to use bootstrap 4.1.3 (from
 2.2.2). You can diff/merge changes into your jinja template based
 tracker.