summaryrefslogtreecommitdiff
path: root/docs/ref/models
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2014-08-19 06:09:29 -0400
committerTim Graham <timograham@gmail.com>2014-08-19 06:16:36 -0400
commitc3c686b92de20b99161d1208e8aec7112213bb28 (patch)
treea532715f6bdeda5e3f0a36d8179b2dd033f06eb7 /docs/ref/models
parentd6c6181f9ecf90be7d298c670ce23c0327417bb7 (diff)
[1.7.x] Fixed #4991 -- Emphasized XSS ramifications of help_text not being escaped.
Backport of 5dbe2a9431 from master
Diffstat (limited to 'docs/ref/models')
-rw-r--r--docs/ref/models/fields.txt4
1 files changed, 3 insertions, 1 deletions
diff --git a/docs/ref/models/fields.txt b/docs/ref/models/fields.txt
index 3ddb420a00..9aee866f08 100644
--- a/docs/ref/models/fields.txt
+++ b/docs/ref/models/fields.txt
@@ -260,7 +260,9 @@ desire. For example::
help_text="Please use the following format: <em>YYYY-MM-DD</em>."
Alternatively you can use plain text and
-``django.utils.html.escape()`` to escape any HTML special characters.
+``django.utils.html.escape()`` to escape any HTML special characters. Ensure
+that you escape any help text that may come from untrusted users to avoid a
+cross-site scripting attack.
``primary_key``
---------------