[1.7.x] Fixed #4991 -- Emphasized XSS ramifications of help_text not being escaped.
Backport of 5dbe2a9431
from master
This commit is contained in:
parent
d6c6181f9e
commit
c3c686b92d
|
@ -260,7 +260,9 @@ desire. For example::
|
|||
help_text="Please use the following format: <em>YYYY-MM-DD</em>."
|
||||
|
||||
Alternatively you can use plain text and
|
||||
``django.utils.html.escape()`` to escape any HTML special characters.
|
||||
``django.utils.html.escape()`` to escape any HTML special characters. Ensure
|
||||
that you escape any help text that may come from untrusted users to avoid a
|
||||
cross-site scripting attack.
|
||||
|
||||
``primary_key``
|
||||
---------------
|
||||
|
|
Loading…
Reference in New Issue