summaryrefslogtreecommitdiff
path: root/docs/topics
diff options
context:
space:
mode:
authorCarl Meyer <carl@oddbird.net>2014-09-26 11:06:49 -0600
committerCarl Meyer <carl@oddbird.net>2014-09-26 11:08:26 -0600
commitd7bc30ffd26ebbe6d98fcd08d9120f44702d2a62 (patch)
tree93252f5a692a9f4a5c0c6b369102a660d2fd9ba1 /docs/topics
parent9d7a4ea20510a2e35fdeac21d67f3f4c17634c25 (diff)
[1.7.X] Fixed #23561 -- Corrected a security doc example that requires an unquoted HTML attribute.
Thanks "djbug" for the report.
Diffstat (limited to 'docs/topics')
-rw-r--r--docs/topics/security.txt4
1 files changed, 2 insertions, 2 deletions
diff --git a/docs/topics/security.txt b/docs/topics/security.txt
index 23c341ae8a..c3167a4fe2 100644
--- a/docs/topics/security.txt
+++ b/docs/topics/security.txt
@@ -31,11 +31,11 @@ protect the following:
.. code-block:: html+django
- <style class="{{ var }}">...</style>
+ <style class={{ var }}>...</style>
If ``var`` is set to ``'class1 onmouseover=javascript:func()'``, this can result
in unauthorized JavaScript execution, depending on how the browser renders
-imperfect HTML.
+imperfect HTML. (Quoting the attribute value would fix this case.)
It is also important to be particularly careful when using ``is_safe`` with
custom template tags, the :tfilter:`safe` template tag, :mod:`mark_safe