Fixed #23561 -- Corrected a security doc example that requires an unquoted HTML attribute.

Thanks "djbug" for the report.
This commit is contained in:
Carl Meyer 2014-09-26 11:06:49 -06:00
parent ef5f9b6ae8
commit d16bc7f0e4
1 changed files with 2 additions and 2 deletions

View File

@ -31,11 +31,11 @@ protect the following:
.. code-block:: html+django .. code-block:: html+django
<style class="{{ var }}">...</style> <style class={{ var }}>...</style>
If ``var`` is set to ``'class1 onmouseover=javascript:func()'``, this can result If ``var`` is set to ``'class1 onmouseover=javascript:func()'``, this can result
in unauthorized JavaScript execution, depending on how the browser renders in unauthorized JavaScript execution, depending on how the browser renders
imperfect HTML. imperfect HTML. (Quoting the attribute value would fix this case.)
It is also important to be particularly careful when using ``is_safe`` with It is also important to be particularly careful when using ``is_safe`` with
custom template tags, the :tfilter:`safe` template tag, :mod:`mark_safe custom template tags, the :tfilter:`safe` template tag, :mod:`mark_safe