diff options
| author | Tim Graham <timograham@gmail.com> | 2014-08-19 06:09:29 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-08-19 06:16:36 -0400 |
| commit | c3c686b92de20b99161d1208e8aec7112213bb28 (patch) | |
| tree | a532715f6bdeda5e3f0a36d8179b2dd033f06eb7 /docs | |
| parent | d6c6181f9ecf90be7d298c670ce23c0327417bb7 (diff) | |
[1.7.x] Fixed #4991 -- Emphasized XSS ramifications of help_text not being escaped.
Backport of 5dbe2a9431 from master
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/models/fields.txt | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/docs/ref/models/fields.txt b/docs/ref/models/fields.txt index 3ddb420a00..9aee866f08 100644 --- a/docs/ref/models/fields.txt +++ b/docs/ref/models/fields.txt @@ -260,7 +260,9 @@ desire. For example:: help_text="Please use the following format: <em>YYYY-MM-DD</em>." Alternatively you can use plain text and -``django.utils.html.escape()`` to escape any HTML special characters. +``django.utils.html.escape()`` to escape any HTML special characters. Ensure +that you escape any help text that may come from untrusted users to avoid a +cross-site scripting attack. ``primary_key`` --------------- |
