[4.2.x] Fixed #34595 -- Doc'd that format_string arg of format_html() is not escaped.

Backport of 4037223d0f12c44ecd6f369ccbabcbd279a1bdbc from main
author: AP Jama <apjama@icloud.com> 2023-06-01 10:23:53 +0000
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2023-06-01 13:10:45 +0100
commit: dae052d823dd66edcd0dd7fe5542d2c6a3a498d0 (patch)
tree: 739636bcc569da2d3a90176cf5fb62886a093a82 /docs/ref/utils.txt
parent: dca5f5d58af8b8d82c96bdf3d28be74886bb955f (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt
index 22d52acbfe..b2b826684d 100644
--- a/docs/ref/utils.txt
+++ b/docs/ref/utils.txt
@@ -617,8 +617,10 @@ escaping HTML.
 .. function:: format_html(format_string, *args, **kwargs)
 
     This is similar to :meth:`str.format`, except that it is appropriate for
-    building up HTML fragments. All args and kwargs are passed through
+    building up HTML fragments. The first argument ``format_string`` is not
+    escaped but all other args and kwargs are passed through
     :func:`conditional_escape` before being passed to ``str.format()``.
+    Finally, the output has :func:`~django.utils.safestring.mark_safe` applied.
 
     For the case of building up small HTML fragments, this function is to be
     preferred over string interpolation using ``%`` or ``str.format()``
author	AP Jama <apjama@icloud.com>	2023-06-01 10:23:53 +0000
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2023-06-01 13:10:45 +0100
commit	dae052d823dd66edcd0dd7fe5542d2c6a3a498d0 (patch)
tree	739636bcc569da2d3a90176cf5fb62886a093a82 /docs/ref/utils.txt
parent	dca5f5d58af8b8d82c96bdf3d28be74886bb955f (diff)