mirror of https://github.com/django/django.git
Grammar fixes and content tweaks to XSS section of security docs.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16545 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
99cd76e273
commit
9896b0df73
|
@ -12,12 +12,13 @@ Cross site scripting (XSS) protection
|
||||||
|
|
||||||
.. highlightlang:: html+django
|
.. highlightlang:: html+django
|
||||||
|
|
||||||
XSS attacks allow a user to inject client side scripts into the
|
XSS attacks allow a user to inject client side scripts into the browsers of
|
||||||
browsers of other users. This is usually achieved by storing the malicious
|
other users. This is usually achieved by storing the malicious scripts in the
|
||||||
scripts to the database where it will be retrieved and displayed to other users
|
database where it will be retrieved and displayed to other users, or by getting
|
||||||
or to get users to click a link containing variables containing scripts that
|
users to click a link which will cause the attacker's javascript to be executred
|
||||||
will be rendered by the user's browser. However, XSS attacks can originate
|
by the user's browser. However, XSS attacks can originate from any untrusted
|
||||||
from any untrusted source of data such as cookies or web services.
|
source of data, such as cookies or web services, whenever the data is not
|
||||||
|
sufficiently sanitized before including in a page.
|
||||||
|
|
||||||
Using Django templates protects you against the majority of XSS attacks.
|
Using Django templates protects you against the majority of XSS attacks.
|
||||||
However, it is important to understand what protections it provides
|
However, it is important to understand what protections it provides
|
||||||
|
@ -44,8 +45,8 @@ In addition, if you are using the template system to output something other
|
||||||
than HTML, there may be entirely separate characters and words which require
|
than HTML, there may be entirely separate characters and words which require
|
||||||
escaping.
|
escaping.
|
||||||
|
|
||||||
You should also be very careful when storing HTML to the database especially
|
You should also be very careful when storing HTML in the database, especially
|
||||||
when that HTML will be retrieved and displayed.
|
when that HTML is retrieved and displayed.
|
||||||
|
|
||||||
Cross site request forgery (CSRF) protection
|
Cross site request forgery (CSRF) protection
|
||||||
============================================
|
============================================
|
||||||
|
|
Loading…
Reference in New Issue