From 6f6043fd26a83bd0625ce34e1f64a1663fec26db Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Mon, 3 Aug 2015 16:27:49 -0400 Subject: [1.8.x] Fixed #25212 -- Documented the RawSQL expression. Backport of 97fa7fe961f961b6c93a11b50a7a1ed35c8bce8d from master --- docs/topics/security.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'docs/topics') diff --git a/docs/topics/security.txt b/docs/topics/security.txt index 6eab39efed..3d535bb85e 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -94,7 +94,8 @@ write :ref:`raw queries ` or execute :ref:`custom sql `. These capabilities should be used sparingly and you should always be careful to properly escape any parameters that the user can control. In addition, you should exercise caution when using -:meth:`extra() `. +:meth:`~django.db.models.query.QuerySet.extra` and +:class:`~django.db.models.expressions.RawSQL`. Clickjacking protection ======================= -- cgit v1.3