Grammar fixes and content tweaks to XSS section of security docs.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16545 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
99cd76e273
commit
9896b0df73
|
@ -12,12 +12,13 @@ Cross site scripting (XSS) protection
|
|||
|
||||
.. highlightlang:: html+django
|
||||
|
||||
XSS attacks allow a user to inject client side scripts into the
|
||||
browsers of other users. This is usually achieved by storing the malicious
|
||||
scripts to the database where it will be retrieved and displayed to other users
|
||||
or to get users to click a link containing variables containing scripts that
|
||||
will be rendered by the user's browser. However, XSS attacks can originate
|
||||
from any untrusted source of data such as cookies or web services.
|
||||
XSS attacks allow a user to inject client side scripts into the browsers of
|
||||
other users. This is usually achieved by storing the malicious scripts in the
|
||||
database where it will be retrieved and displayed to other users, or by getting
|
||||
users to click a link which will cause the attacker's javascript to be executred
|
||||
by the user's browser. However, XSS attacks can originate from any untrusted
|
||||
source of data, such as cookies or web services, whenever the data is not
|
||||
sufficiently sanitized before including in a page.
|
||||
|
||||
Using Django templates protects you against the majority of XSS attacks.
|
||||
However, it is important to understand what protections it provides
|
||||
|
@ -44,8 +45,8 @@ In addition, if you are using the template system to output something other
|
|||
than HTML, there may be entirely separate characters and words which require
|
||||
escaping.
|
||||
|
||||
You should also be very careful when storing HTML to the database especially
|
||||
when that HTML will be retrieved and displayed.
|
||||
You should also be very careful when storing HTML in the database, especially
|
||||
when that HTML is retrieved and displayed.
|
||||
|
||||
Cross site request forgery (CSRF) protection
|
||||
============================================
|
||||
|
|
Loading…
Reference in New Issue