From b3569b3a825e82d25ffadf49f436c13f30a205f8 Mon Sep 17 00:00:00 2001
From: Carl Meyer <carl@oddbird.net>
Date: Mon, 6 Oct 2014 11:30:33 -0600
Subject: [PATCH] [1.7.X] Fixed #23602 -- Add comment on get_absolute_url
 regarding user input

Backport of 04bd84786d39b8a17620dfb3b354599d8d95417b from master.
---
 docs/ref/models/instances.txt | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/docs/ref/models/instances.txt b/docs/ref/models/instances.txt
index 5d3005d762..8116fab3b5 100644
--- a/docs/ref/models/instances.txt
+++ b/docs/ref/models/instances.txt
@@ -592,6 +592,19 @@ framework </ref/contrib/syndication>`, use ``get_absolute_url()`` when it is
 defined. If it makes sense for your model's instances to each have a unique
 URL, you should define ``get_absolute_url()``.
 
+.. warning::
+
+    You should avoid building the URL from un-validated user input, in order to
+    reduce possibilities of link or redirect poisoning::
+
+        def get_absolute_url(self):
+            return '/%s/' % self.name
+
+    If ``self.name`` is ``'/example.com'`` this returns ``'//example.com/'``
+    which, in turn, is a valid schema relative URL but not the expected
+    ``'/%2Fexample.com/'``.
+
+
 It's good practice to use ``get_absolute_url()`` in templates, instead of
 hard-coding your objects' URLs. For example, this template code is bad: