innov
/
django1
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

[1.7.x] Fixed #4991 -- Emphasized XSS ramifications of help_text not being escaped. 

Backport of 5dbe2a9431 from master
This commit is contained in:
Tim Graham 2014-08-19 06:09:29 -04:00
parent d6c6181f9e
commit c3c686b92d
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/ref/models/fields.txt
View File

@ -260,7 +260,9 @@ desire. For example::
help_text="Please use the following format: <em>YYYY-MM-DD</em>." help_text="Please use the following format: <em>YYYY-MM-DD</em>."
Alternatively you can use plain text and Alternatively you can use plain text and
``django.utils.html.escape()`` to escape any HTML special characters. ``django.utils.html.escape()`` to escape any HTML special characters. Ensure
that you escape any help text that may come from untrusted users to avoid a
cross-site scripting attack.
``primary_key`` ``primary_key``
--------------- ---------------