summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorMariusz Felisiak <felisiak.mariusz@gmail.com>2023-09-27 19:09:10 +0200
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2023-09-27 19:09:38 +0200
commit33ca9f91c2e494d109b2b0a909c5c88b7b08fd26 (patch)
treec430a600bdf37eedfe14f1114077b99c610dc312 /docs/ref
parentbc6d71d4de8a3f6a430ca084419e079f2e3ecf31 (diff)
[5.0.x] Added warning about flatpages and untrusted users.
Backport of 571bab98879578b6ef54ee654ead06736855767d from main
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/contrib/flatpages.txt7
1 files changed, 7 insertions, 0 deletions
diff --git a/docs/ref/contrib/flatpages.txt b/docs/ref/contrib/flatpages.txt
index d68257bfd1..c82fb5de85 100644
--- a/docs/ref/contrib/flatpages.txt
+++ b/docs/ref/contrib/flatpages.txt
@@ -164,6 +164,13 @@ For more on middleware, read the :doc:`middleware docs
How to add, change and delete flatpages
=======================================
+.. warning::
+
+ Permissions to add or edit flatpages should be restricted to trusted users.
+ Flatpages are defined by raw HTML and are **not sanitized** by Django. As a
+ consequence, a malicious flatpage can lead to various security
+ vulnerabilities, including permission escalation.
+
.. _flatpages-admin:
Via the admin interface