diff options
| author | Tim Graham <timograham@gmail.com> | 2016-02-11 07:58:15 -0500 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-02-11 07:58:15 -0500 |
| commit | f2b45ddd99ff23c0bd103f1dda1e1cb0c8dc6d84 (patch) | |
| tree | 4ba021f19f49d6640c6cc64010dd64587e08816d /docs/topics/security.txt | |
| parent | 58f815080509bc963fc3d99af324034bfe4de181 (diff) | |
Fixed #26206 -- Fixed docs comments causing empty code blocks.
Diffstat (limited to 'docs/topics/security.txt')
| -rw-r--r-- | docs/topics/security.txt | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/docs/topics/security.txt b/docs/topics/security.txt index 917817ba6f..0707da0473 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -30,10 +30,11 @@ malicious input, it is not entirely foolproof. For example, it will not protect the following: .. code-block:: text -.. highlighting as html+django fails due to intentionally missing quotes. <style class={{ var }}>...</style> +.. highlighting as html+django fails due to intentionally missing quotes. + If ``var`` is set to ``'class1 onmouseover=javascript:func()'``, this can result in unauthorized JavaScript execution, depending on how the browser renders imperfect HTML. (Quoting the attribute value would fix this case.) |