diff options
| author | Tim Graham <timograham@gmail.com> | 2014-08-19 06:09:29 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-08-19 06:16:41 -0400 |
| commit | 190d81179f5eba6f2a1042321f0d39f04860163a (patch) | |
| tree | 6d8ff48acbc87ec40dad60b1df23b41b32e3f65c | |
| parent | 75d7bb8d4313f83a832a65cc5e9b17b8ccf97fd1 (diff) | |
[1.6.x] Fixed #4991 -- Emphasized XSS ramifications of help_text not being escaped.
Backport of 5dbe2a9431 from master
| -rw-r--r-- | docs/ref/models/fields.txt | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/docs/ref/models/fields.txt b/docs/ref/models/fields.txt index bda884697c..45f55d8cb0 100644 --- a/docs/ref/models/fields.txt +++ b/docs/ref/models/fields.txt @@ -240,7 +240,9 @@ desire. For example:: help_text="Please use the following format: <em>YYYY-MM-DD</em>." Alternatively you can use plain text and -``django.utils.html.escape()`` to escape any HTML special characters. +``django.utils.html.escape()`` to escape any HTML special characters. Ensure +that you escape any help text that may come from untrusted users to avoid a +cross-site scripting attack. ``primary_key`` --------------- |