diff options
| author | Tim Graham <timograham@gmail.com> | 2014-08-19 06:09:29 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-08-19 06:16:05 -0400 |
| commit | 5dbe2a9431dc7335359f58c58dc02e9f92c47525 (patch) | |
| tree | fd72c66fd8e82a8762cb3b66d61929bcf906c32a /docs | |
| parent | 15cafaa5657bae31df6e515b425dd353b7352aa3 (diff) | |
Fixed #4991 -- Emphasized XSS ramifications of help_text not being escaped.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/models/fields.txt | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/docs/ref/models/fields.txt b/docs/ref/models/fields.txt index d66ee37c47..0466534e07 100644 --- a/docs/ref/models/fields.txt +++ b/docs/ref/models/fields.txt @@ -260,7 +260,9 @@ desire. For example:: help_text="Please use the following format: <em>YYYY-MM-DD</em>." Alternatively you can use plain text and -``django.utils.html.escape()`` to escape any HTML special characters. +``django.utils.html.escape()`` to escape any HTML special characters. Ensure +that you escape any help text that may come from untrusted users to avoid a +cross-site scripting attack. ``primary_key`` --------------- |
