From 189dcb1002ef6582cfc8074c09cb6e47d6034dd8 Mon Sep 17 00:00:00 2001 From: Jacob Walls Date: Fri, 5 Dec 2025 15:32:56 -0500 Subject: [6.0.x] Fixed #36778 -- Extended advice to sanitize input before using in query expressions. Thanks Clifford Gama and Simon Charette for reviews. Backport of 334308efae8e0c7b1523d5583af32b674a098eba from main. --- docs/internals/security.txt | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'docs/internals') diff --git a/docs/internals/security.txt b/docs/internals/security.txt index 745f26f5f5..4eee394759 100644 --- a/docs/internals/security.txt +++ b/docs/internals/security.txt @@ -111,9 +111,11 @@ validated:: return JsonResponse(status=200) return JsonResponse(form.errors, status=400) -Similarly, as Django's raw SQL constructs (such as :meth:`~.QuerySet.extra` and -:class:`.RawSQL` expression) provide developers with full control over the -query, they are insecure if user input is not properly handled. As explained in +Similarly, as Django's raw SQL constructs (such as :meth:`~.QuerySet.extra`, +:class:`.RawSQL`, and :ref:`keyword arguments to database functions +`) provide developers with full +control over the query, they are insecure if user input is not properly +handled. As explained in our :ref:`security documentation `, it is the developer's responsibility to safely process user input for these functions. -- cgit v1.3