Fixed #23561 -- Corrected a security doc example that requires an unquoted HTML attribute.
Thanks "djbug" for the report.
This commit is contained in:
parent
ef5f9b6ae8
commit
d16bc7f0e4
|
@ -31,11 +31,11 @@ protect the following:
|
||||||
|
|
||||||
.. code-block:: html+django
|
.. code-block:: html+django
|
||||||
|
|
||||||
<style class="{{ var }}">...</style>
|
<style class={{ var }}>...</style>
|
||||||
|
|
||||||
If ``var`` is set to ``'class1 onmouseover=javascript:func()'``, this can result
|
If ``var`` is set to ``'class1 onmouseover=javascript:func()'``, this can result
|
||||||
in unauthorized JavaScript execution, depending on how the browser renders
|
in unauthorized JavaScript execution, depending on how the browser renders
|
||||||
imperfect HTML.
|
imperfect HTML. (Quoting the attribute value would fix this case.)
|
||||||
|
|
||||||
It is also important to be particularly careful when using ``is_safe`` with
|
It is also important to be particularly careful when using ``is_safe`` with
|
||||||
custom template tags, the :tfilter:`safe` template tag, :mod:`mark_safe
|
custom template tags, the :tfilter:`safe` template tag, :mod:`mark_safe
|
||||||
|
|
Loading…
Reference in New Issue