Described how querysets are protected from SQL injection in more detail.

docs/topics/security.txt

@@ -90,14 +90,17 @@ SQL injection is a type of attack where a malicious user is able to execute
 arbitrary SQL code on a database. This can result in records
 being deleted or data leakage.
 
-By using Django's querysets, the resulting SQL will be properly escaped by
+Django's querysets are protected from SQL injection since their queries are
-the underlying database driver. However, Django also gives developers power to
+constructed using query parameterization. A query's SQL code is defined
-write :ref:`raw queries <executing-raw-queries>` or execute
+separately from the query's parameters. Since parameters may be user-provided
-:ref:`custom sql <executing-custom-sql>`. These capabilities should be used
+and therefore unsafe, they are escaped by the underlying database driver.
-sparingly and you should always be careful to properly escape any parameters
+
-that the user can control. In addition, you should exercise caution when using
+Django also gives developers power to write :ref:`raw queries
-:meth:`~django.db.models.query.QuerySet.extra` and
+<executing-raw-queries>` or execute :ref:`custom sql <executing-custom-sql>`.
-:class:`~django.db.models.expressions.RawSQL`.
+These capabilities should be used sparingly and you should always be careful to
+properly escape any parameters that the user can control. In addition, you
+should exercise caution when using :meth:`~django.db.models.query.QuerySet.extra`
+and :class:`~django.db.models.expressions.RawSQL`.
 
 Clickjacking protection
 =======================