diff options
| author | Luke Plant <L.Plant.98@cantab.net> | 2011-07-17 14:17:26 +0000 |
|---|---|---|
| committer | Luke Plant <L.Plant.98@cantab.net> | 2011-07-17 14:17:26 +0000 |
| commit | 9896b0df73d5fe49c7c315ddcabbd25aa7c706b4 (patch) | |
| tree | c4bada4b2ba0cb27bd1d424a01fc12c9e7e0e165 /docs/topics/security.txt | |
| parent | 99cd76e2734694d22861b7c224fd1e2dcb643fa0 (diff) | |
Grammar fixes and content tweaks to XSS section of security docs.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16545 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs/topics/security.txt')
| -rw-r--r-- | docs/topics/security.txt | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/docs/topics/security.txt b/docs/topics/security.txt index 02847bbb65..037b6b657d 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -12,12 +12,13 @@ Cross site scripting (XSS) protection .. highlightlang:: html+django -XSS attacks allow a user to inject client side scripts into the -browsers of other users. This is usually achieved by storing the malicious -scripts to the database where it will be retrieved and displayed to other users -or to get users to click a link containing variables containing scripts that -will be rendered by the user's browser. However, XSS attacks can originate -from any untrusted source of data such as cookies or web services. +XSS attacks allow a user to inject client side scripts into the browsers of +other users. This is usually achieved by storing the malicious scripts in the +database where it will be retrieved and displayed to other users, or by getting +users to click a link which will cause the attacker's javascript to be executred +by the user's browser. However, XSS attacks can originate from any untrusted +source of data, such as cookies or web services, whenever the data is not +sufficiently sanitized before including in a page. Using Django templates protects you against the majority of XSS attacks. However, it is important to understand what protections it provides @@ -44,8 +45,8 @@ In addition, if you are using the template system to output something other than HTML, there may be entirely separate characters and words which require escaping. -You should also be very careful when storing HTML to the database especially -when that HTML will be retrieved and displayed. +You should also be very careful when storing HTML in the database, especially +when that HTML is retrieved and displayed. Cross site request forgery (CSRF) protection ============================================ |