Fixed #36778 -- Extended advice to sanitize input before using in query expressions.

Thanks Clifford Gama and Simon Charette for reviews.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2025-12-05 15:32:56 -0500
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2025-12-08 10:25:24 -0500
commit: 334308efae8e0c7b1523d5583af32b674a098eba (patch)
tree: ff5918d668e5c50b35530f489698485902864dd5 /docs/internals
parent: af60ae48d98888826928b1c2def47a980f9a4af4 (diff)
1 files changed, 5 insertions, 3 deletions
diff --git a/docs/internals/security.txt b/docs/internals/security.txt
index 745f26f5f5..4eee394759 100644
--- a/docs/internals/security.txt
+++ b/docs/internals/security.txt
@@ -111,9 +111,11 @@ validated::
             return JsonResponse(status=200)
         return JsonResponse(form.errors, status=400)
 
-Similarly, as Django's raw SQL constructs (such as :meth:`~.QuerySet.extra` and
-:class:`.RawSQL` expression) provide developers with full control over the
-query, they are insecure if user input is not properly handled. As explained in
+Similarly, as Django's raw SQL constructs (such as :meth:`~.QuerySet.extra`,
+:class:`.RawSQL`, and :ref:`keyword arguments to database functions
+<avoiding-sql-injection-in-query-expressions>`) provide developers with full
+control over the query, they are insecure if user input is not properly
+handled. As explained in
 our :ref:`security documentation <sql-injection-protection>`, it is the
 developer's responsibility to safely process user input for these functions.
author	Jacob Walls <jacobtylerwalls@gmail.com>	2025-12-05 15:32:56 -0500
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2025-12-08 10:25:24 -0500
commit	334308efae8e0c7b1523d5583af32b674a098eba (patch)
tree	ff5918d668e5c50b35530f489698485902864dd5 /docs/internals
parent	af60ae48d98888826928b1c2def47a980f9a4af4 (diff)