From 5dbe2a9431dc7335359f58c58dc02e9f92c47525 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Tue, 19 Aug 2014 06:09:29 -0400 Subject: [PATCH] Fixed #4991 -- Emphasized XSS ramifications of help_text not being escaped. --- docs/ref/models/fields.txt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/ref/models/fields.txt b/docs/ref/models/fields.txt index d66ee37c47..0466534e07 100644 --- a/docs/ref/models/fields.txt +++ b/docs/ref/models/fields.txt @@ -260,7 +260,9 @@ desire. For example:: help_text="Please use the following format: YYYY-MM-DD." Alternatively you can use plain text and -``django.utils.html.escape()`` to escape any HTML special characters. +``django.utils.html.escape()`` to escape any HTML special characters. Ensure +that you escape any help text that may come from untrusted users to avoid a +cross-site scripting attack. ``primary_key`` ---------------