[4.2.x] Added warning about flatpages and untrusted users.

Backport of 571bab98879578b6ef54ee654ead06736855767d from main
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2023-09-27 19:09:10 +0200
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2023-09-27 19:10:59 +0200
commit: dd0bf63d3e76ce1e0bc5d6d43f8c853643396887 (patch)
tree: 500e0eb4d738eb881c7f5acfe2887aa16aa81a10 /docs
parent: fec4ed0a250841f41066cbbc9581993ba378d268 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/docs/ref/contrib/flatpages.txt b/docs/ref/contrib/flatpages.txt
index d68257bfd1..c82fb5de85 100644
--- a/docs/ref/contrib/flatpages.txt
+++ b/docs/ref/contrib/flatpages.txt
@@ -164,6 +164,13 @@ For more on middleware, read the :doc:`middleware docs
 How to add, change and delete flatpages
 =======================================
 
+.. warning::
+
+    Permissions to add or edit flatpages should be restricted to trusted users.
+    Flatpages are defined by raw HTML and are **not sanitized** by Django. As a
+    consequence, a malicious flatpage can lead to various security
+    vulnerabilities, including permission escalation.
+
 .. _flatpages-admin:
 
 Via the admin interface
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2023-09-27 19:09:10 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2023-09-27 19:10:59 +0200
commit	dd0bf63d3e76ce1e0bc5d6d43f8c853643396887 (patch)
tree	500e0eb4d738eb881c7f5acfe2887aa16aa81a10 /docs
parent	fec4ed0a250841f41066cbbc9581993ba378d268 (diff)