From a5f71e12643043da9bfdb554e0774c242f0f18b9 Mon Sep 17 00:00:00 2001
From: Gabriel Hurley <gabehr@gmail.com>
Date: Mon, 28 Feb 2011 05:40:55 +0000
Subject: [PATCH] [1.2.X] Fixed #15365 -- Added a warning to the
 `contrib.markup` docs reminding users that the marked up output will not be
 escaped.

Backport of [15673] from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@15674 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 docs/ref/contrib/markup.txt | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/ref/contrib/markup.txt b/docs/ref/contrib/markup.txt
index 92823132d6..d5f07f57ef 100644
--- a/docs/ref/contrib/markup.txt
+++ b/docs/ref/contrib/markup.txt
@@ -24,6 +24,13 @@ To activate these filters, add ``'django.contrib.markup'`` to your
 For more documentation, read the source code in
 :file:`django/contrib/markup/templatetags/markup.py`.
 
+.. warning::
+
+    The output of markup filters is marked "safe" and will not be escaped when
+    rendered in a template. Always be careful to sanitize your inputs and make
+    sure you are not leaving yourself vulnerable to cross-site scripting or
+    other types of attacks.
+
 .. _Textile: http://en.wikipedia.org/wiki/Textile_%28markup_language%29
 .. _Markdown: http://en.wikipedia.org/wiki/Markdown
 .. _reST (reStructured Text): http://en.wikipedia.org/wiki/ReStructuredText