From d7bc30ffd26ebbe6d98fcd08d9120f44702d2a62 Mon Sep 17 00:00:00 2001
From: Carl Meyer <carl@oddbird.net>
Date: Fri, 26 Sep 2014 11:06:49 -0600
Subject: [PATCH] [1.7.X] Fixed #23561 -- Corrected a security doc example that
 requires an unquoted HTML attribute.

Thanks "djbug" for the report.
---
 docs/topics/security.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/topics/security.txt b/docs/topics/security.txt
index 23c341ae8a..c3167a4fe2 100644
--- a/docs/topics/security.txt
+++ b/docs/topics/security.txt
@@ -31,11 +31,11 @@ protect the following:
 
 .. code-block:: html+django
 
-    <style class="{{ var }}">...</style>
+    <style class={{ var }}>...</style>
 
 If ``var`` is set to ``'class1 onmouseover=javascript:func()'``, this can result
 in unauthorized JavaScript execution, depending on how the browser renders
-imperfect HTML.
+imperfect HTML. (Quoting the attribute value would fix this case.)
 
 It is also important to be particularly careful when using ``is_safe`` with
 custom template tags, the :tfilter:`safe` template tag, :mod:`mark_safe