From 9896b0df73d5fe49c7c315ddcabbd25aa7c706b4 Mon Sep 17 00:00:00 2001 From: Luke Plant Date: Sun, 17 Jul 2011 14:17:26 +0000 Subject: [PATCH] Grammar fixes and content tweaks to XSS section of security docs. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16545 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- docs/topics/security.txt | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/docs/topics/security.txt b/docs/topics/security.txt index 02847bbb65..037b6b657d 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -12,12 +12,13 @@ Cross site scripting (XSS) protection .. highlightlang:: html+django -XSS attacks allow a user to inject client side scripts into the -browsers of other users. This is usually achieved by storing the malicious -scripts to the database where it will be retrieved and displayed to other users -or to get users to click a link containing variables containing scripts that -will be rendered by the user's browser. However, XSS attacks can originate -from any untrusted source of data such as cookies or web services. +XSS attacks allow a user to inject client side scripts into the browsers of +other users. This is usually achieved by storing the malicious scripts in the +database where it will be retrieved and displayed to other users, or by getting +users to click a link which will cause the attacker's javascript to be executred +by the user's browser. However, XSS attacks can originate from any untrusted +source of data, such as cookies or web services, whenever the data is not +sufficiently sanitized before including in a page. Using Django templates protects you against the majority of XSS attacks. However, it is important to understand what protections it provides @@ -44,8 +45,8 @@ In addition, if you are using the template system to output something other than HTML, there may be entirely separate characters and words which require escaping. -You should also be very careful when storing HTML to the database especially -when that HTML will be retrieved and displayed. +You should also be very careful when storing HTML in the database, especially +when that HTML is retrieved and displayed. Cross site request forgery (CSRF) protection ============================================