From 571bab98879578b6ef54ee654ead06736855767d Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Wed, 27 Sep 2023 19:09:10 +0200
Subject: [PATCH] Added warning about flatpages and untrusted users.

---
 docs/ref/contrib/flatpages.txt | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/ref/contrib/flatpages.txt b/docs/ref/contrib/flatpages.txt
index d68257bfd1f..c82fb5de85c 100644
--- a/docs/ref/contrib/flatpages.txt
+++ b/docs/ref/contrib/flatpages.txt
@@ -164,6 +164,13 @@ For more on middleware, read the :doc:`middleware docs
 How to add, change and delete flatpages
 =======================================
 
+.. warning::
+
+    Permissions to add or edit flatpages should be restricted to trusted users.
+    Flatpages are defined by raw HTML and are **not sanitized** by Django. As a
+    consequence, a malicious flatpage can lead to various security
+    vulnerabilities, including permission escalation.
+
 .. _flatpages-admin:
 
 Via the admin interface