diff --git a/docs/ref/contrib/flatpages.txt b/docs/ref/contrib/flatpages.txt index d68257bfd1f..c82fb5de85c 100644 --- a/docs/ref/contrib/flatpages.txt +++ b/docs/ref/contrib/flatpages.txt @@ -164,6 +164,13 @@ For more on middleware, read the :doc:`middleware docs How to add, change and delete flatpages ======================================= +.. warning:: + + Permissions to add or edit flatpages should be restricted to trusted users. + Flatpages are defined by raw HTML and are **not sanitized** by Django. As a + consequence, a malicious flatpage can lead to various security + vulnerabilities, including permission escalation. + .. _flatpages-admin: Via the admin interface