Grammar fixes and content tweaks to XSS section of security docs.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16545 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Luke Plant 2011-07-17 14:17:26 +00:00
parent 99cd76e273
commit 9896b0df73
1 changed files with 9 additions and 8 deletions

View File

@ -12,12 +12,13 @@ Cross site scripting (XSS) protection
.. highlightlang:: html+django
XSS attacks allow a user to inject client side scripts into the
browsers of other users. This is usually achieved by storing the malicious
scripts to the database where it will be retrieved and displayed to other users
or to get users to click a link containing variables containing scripts that
will be rendered by the user's browser. However, XSS attacks can originate
from any untrusted source of data such as cookies or web services.
XSS attacks allow a user to inject client side scripts into the browsers of
other users. This is usually achieved by storing the malicious scripts in the
database where it will be retrieved and displayed to other users, or by getting
users to click a link which will cause the attacker's javascript to be executred
by the user's browser. However, XSS attacks can originate from any untrusted
source of data, such as cookies or web services, whenever the data is not
sufficiently sanitized before including in a page.
Using Django templates protects you against the majority of XSS attacks.
However, it is important to understand what protections it provides
@ -44,8 +45,8 @@ In addition, if you are using the template system to output something other
than HTML, there may be entirely separate characters and words which require
escaping.
You should also be very careful when storing HTML to the database especially
when that HTML will be retrieved and displayed.
You should also be very careful when storing HTML in the database, especially
when that HTML is retrieved and displayed.
Cross site request forgery (CSRF) protection
============================================