Grammar fixes and content tweaks to XSS section of security docs.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16545 bcc190cf-cafb-0310-a4f2-bffc1f526a37

docs/topics/security.txt

@@ -12,12 +12,13 @@ Cross site scripting (XSS) protection
 
 .. highlightlang:: html+django
 
-XSS attacks allow a user to inject client side scripts into the
-browsers of other users. This is usually achieved by storing the malicious
-scripts to the database where it will be retrieved and displayed to other users
-or to get users to click a link containing variables containing scripts that
-will be rendered by the user's browser. However, XSS attacks can originate
-from any untrusted source of data such as cookies or web services.
+XSS attacks allow a user to inject client side scripts into the browsers of
+other users. This is usually achieved by storing the malicious scripts in the
+database where it will be retrieved and displayed to other users, or by getting
+users to click a link which will cause the attacker's javascript to be executred
+by the user's browser. However, XSS attacks can originate from any untrusted
+source of data, such as cookies or web services, whenever the data is not
+sufficiently sanitized before including in a page.
 
 Using Django templates protects you against the majority of XSS attacks.
 However, it is important to understand what protections it provides
@@ -44,8 +45,8 @@ In addition, if you are using the template system to output something other
 than HTML, there may be entirely separate characters and words which require
 escaping.
 
-You should also be very careful when storing HTML to the database especially
-when that HTML will be retrieved and displayed.
+You should also be very careful when storing HTML in the database, especially
+when that HTML is retrieved and displayed.
 
 Cross site request forgery (CSRF) protection
 ============================================