diff options
| author | Carl Meyer <carl@oddbird.net> | 2014-09-26 11:06:49 -0600 |
|---|---|---|
| committer | Carl Meyer <carl@oddbird.net> | 2014-09-26 11:07:55 -0600 |
| commit | d16bc7f0e46785bcf422310c41d20b25c0112051 (patch) | |
| tree | aa8a07ef0c39b49861960ad04a6e6c1334c4c5b8 /docs/topics/security.txt | |
| parent | ef5f9b6ae8c873927aa6047f5f9d1d902a0c2177 (diff) | |
Fixed #23561 -- Corrected a security doc example that requires an unquoted HTML attribute.
Thanks "djbug" for the report.
Diffstat (limited to 'docs/topics/security.txt')
| -rw-r--r-- | docs/topics/security.txt | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/docs/topics/security.txt b/docs/topics/security.txt index a3e656557b..6eab39efed 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -31,11 +31,11 @@ protect the following: .. code-block:: html+django - <style class="{{ var }}">...</style> + <style class={{ var }}>...</style> If ``var`` is set to ``'class1 onmouseover=javascript:func()'``, this can result in unauthorized JavaScript execution, depending on how the browser renders -imperfect HTML. +imperfect HTML. (Quoting the attribute value would fix this case.) It is also important to be particularly careful when using ``is_safe`` with custom template tags, the :tfilter:`safe` template tag, :mod:`mark_safe |