From d2e40dd8c2031cd03700e72d87d455d5e974800c Mon Sep 17 00:00:00 2001 From: andrewnester Date: Mon, 9 Jan 2017 14:20:57 +0300 Subject: [PATCH] Fixed #27678 -- Warned that the template system isn't safe against untrusted authors. --- docs/topics/templates.txt | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/topics/templates.txt b/docs/topics/templates.txt index c443880004..df5bd9d460 100644 --- a/docs/topics/templates.txt +++ b/docs/topics/templates.txt @@ -36,6 +36,13 @@ For historical reasons, both the generic support for template engines and the implementation of the Django template language live in the ``django.template`` namespace. +.. warning:: + + The template system isn't safe against untrusted template authors. For + example, a site shouldn't allow its users to provide their own templates, + since template authors can do things like perform XSS attacks and access + properties of template variables that may contain sensitive information. + .. _template-engines: Support for template engines