diff options
Diffstat (limited to 'docs/internals/security.txt')
| -rw-r--r-- | docs/internals/security.txt | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/docs/internals/security.txt b/docs/internals/security.txt index 745f26f5f5..4eee394759 100644 --- a/docs/internals/security.txt +++ b/docs/internals/security.txt @@ -111,9 +111,11 @@ validated:: return JsonResponse(status=200) return JsonResponse(form.errors, status=400) -Similarly, as Django's raw SQL constructs (such as :meth:`~.QuerySet.extra` and -:class:`.RawSQL` expression) provide developers with full control over the -query, they are insecure if user input is not properly handled. As explained in +Similarly, as Django's raw SQL constructs (such as :meth:`~.QuerySet.extra`, +:class:`.RawSQL`, and :ref:`keyword arguments to database functions +<avoiding-sql-injection-in-query-expressions>`) provide developers with full +control over the query, they are insecure if user input is not properly +handled. As explained in our :ref:`security documentation <sql-injection-protection>`, it is the developer's responsibility to safely process user input for these functions. |