Fixed #15365 -- Added a warning to the `contrib.markup` docs reminding users that the marked up output will not be escaped.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15673 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
c9db8cc83f
commit
13838fb233
|
@ -24,6 +24,13 @@ To activate these filters, add ``'django.contrib.markup'`` to your
|
|||
For more documentation, read the source code in
|
||||
:file:`django/contrib/markup/templatetags/markup.py`.
|
||||
|
||||
.. warning::
|
||||
|
||||
The output of markup filters is marked "safe" and will not be escaped when
|
||||
rendered in a template. Always be careful to sanitize your inputs and make
|
||||
sure you are not leaving yourself vulnerable to cross-site scripting or
|
||||
other types of attacks.
|
||||
|
||||
.. _Textile: http://en.wikipedia.org/wiki/Textile_%28markup_language%29
|
||||
.. _Markdown: http://en.wikipedia.org/wiki/Markdown
|
||||
.. _reST (reStructured Text): http://en.wikipedia.org/wiki/ReStructuredText
|
||||
|
|
Loading…
Reference in New Issue