p31829507
/
django
mirror of https://github.com/django/django.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Added warning about flatpages and untrusted users.

This commit is contained in:
Mariusz Felisiak 2023-09-27 19:09:10 +02:00 committed by GitHub
parent f9e9526800
commit 571bab9887
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/ref/contrib/flatpages.txt
View File

@ -164,6 +164,13 @@ For more on middleware, read the :doc:`middleware docs
How to add, change and delete flatpages
=======================================
.. warning::
Permissions to add or edit flatpages should be restricted to trusted users.
Flatpages are defined by raw HTML and are **not sanitized** by Django. As a
consequence, a malicious flatpage can lead to various security
vulnerabilities, including permission escalation.
.. _flatpages-admin:
Via the admin interface