[1.11.x] Fixed #27678 -- Warned that the template system isn't safe against untrusted authors.

Backport of d2e40dd8c2031cd03700e72d87d455d5e974800c from master
author: andrewnester <andrew.nester.dev@gmail.com> 2017-01-09 14:20:57 +0300
committer: Tim Graham <timograham@gmail.com> 2017-01-27 11:29:55 -0500
commit: d9f2887645e8babd332afdf971dc66a02428eaff (patch)
tree: ea6d2d2863421666fcb8887d1cbc9ebaf59de8a2
parent: a364fb38107534362a9817d7d3243d4695798ffd (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/docs/topics/templates.txt b/docs/topics/templates.txt
index 3ee9a01efd..37a39c0607 100644
--- a/docs/topics/templates.txt
+++ b/docs/topics/templates.txt
@@ -36,6 +36,13 @@ For historical reasons, both the generic support for template engines and the
 implementation of the Django template language live in the ``django.template``
 namespace.
 
+.. warning::
+
+    The template system isn't safe against untrusted template authors. For
+    example, a site shouldn't allow its users to provide their own templates,
+    since template authors can do things like perform XSS attacks and access
+    properties of template variables that may contain sensitive information.
+
 .. _template-engines:
 
 Support for template engines
author	andrewnester <andrew.nester.dev@gmail.com>	2017-01-09 14:20:57 +0300
committer	Tim Graham <timograham@gmail.com>	2017-01-27 11:29:55 -0500
commit	d9f2887645e8babd332afdf971dc66a02428eaff (patch)
tree	ea6d2d2863421666fcb8887d1cbc9ebaf59de8a2
parent	a364fb38107534362a9817d7d3243d4695798ffd (diff)