[6.0.x] Fixed #36778 -- Extended advice to sanitize input before using in query expressions.

Thanks Clifford Gama and Simon Charette for reviews. Backport of 334308efae8e0c7b1523d5583af32b674a098eba from main.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2025-12-05 15:32:56 -0500
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2025-12-08 10:25:57 -0500
commit: 189dcb1002ef6582cfc8074c09cb6e47d6034dd8 (patch)
tree: e2f51d2d7aa7adafa32a6c34c24d903e5de377c7 /docs/internals/security.txt
parent: 9f61563b4239a55783ed8ee2877f0e9d4b4a35bf (diff)
1 files changed, 5 insertions, 3 deletions
diff --git a/docs/internals/security.txt b/docs/internals/security.txt
index 745f26f5f5..4eee394759 100644
--- a/docs/internals/security.txt
+++ b/docs/internals/security.txt
@@ -111,9 +111,11 @@ validated::
             return JsonResponse(status=200)
         return JsonResponse(form.errors, status=400)
 
-Similarly, as Django's raw SQL constructs (such as :meth:`~.QuerySet.extra` and
-:class:`.RawSQL` expression) provide developers with full control over the
-query, they are insecure if user input is not properly handled. As explained in
+Similarly, as Django's raw SQL constructs (such as :meth:`~.QuerySet.extra`,
+:class:`.RawSQL`, and :ref:`keyword arguments to database functions
+<avoiding-sql-injection-in-query-expressions>`) provide developers with full
+control over the query, they are insecure if user input is not properly
+handled. As explained in
 our :ref:`security documentation <sql-injection-protection>`, it is the
 developer's responsibility to safely process user input for these functions.
author	Jacob Walls <jacobtylerwalls@gmail.com>	2025-12-05 15:32:56 -0500
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2025-12-08 10:25:57 -0500
commit	189dcb1002ef6582cfc8074c09cb6e47d6034dd8 (patch)
tree	e2f51d2d7aa7adafa32a6c34c24d903e5de377c7 /docs/internals/security.txt
parent	9f61563b4239a55783ed8ee2877f0e9d4b4a35bf (diff)