From d16bc7f0e46785bcf422310c41d20b25c0112051 Mon Sep 17 00:00:00 2001 From: Carl Meyer Date: Fri, 26 Sep 2014 11:06:49 -0600 Subject: [PATCH] Fixed #23561 -- Corrected a security doc example that requires an unquoted HTML attribute. Thanks "djbug" for the report. --- docs/topics/security.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/topics/security.txt b/docs/topics/security.txt index a3e656557b..6eab39efed 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -31,11 +31,11 @@ protect the following: .. code-block:: html+django - + If ``var`` is set to ``'class1 onmouseover=javascript:func()'``, this can result in unauthorized JavaScript execution, depending on how the browser renders -imperfect HTML. +imperfect HTML. (Quoting the attribute value would fix this case.) It is also important to be particularly careful when using ``is_safe`` with custom template tags, the :tfilter:`safe` template tag, :mod:`mark_safe