test0908
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[1.7.X] Fixed #23561 -- Corrected a security doc example that requires an unquoted HTML attribute. 

Thanks "djbug" for the report.
This commit is contained in:
Carl Meyer 2014-09-26 11:06:49 -06:00
parent 9d7a4ea205
commit d7bc30ffd2
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/topics/security.txt
View File

@ -31,11 +31,11 @@ protect the following:
.. code-block:: html+django .. code-block:: html+django
<style class="{{ var }}">...</style> <style class={{ var }}>...</style>
If ``var`` is set to ``'class1 onmouseover=javascript:func()'``, this can result If ``var`` is set to ``'class1 onmouseover=javascript:func()'``, this can result
in unauthorized JavaScript execution, depending on how the browser renders in unauthorized JavaScript execution, depending on how the browser renders
imperfect HTML. imperfect HTML. (Quoting the attribute value would fix this case.)
It is also important to be particularly careful when using ``is_safe`` with It is also important to be particularly careful when using ``is_safe`` with
custom template tags, the :tfilter:`safe` template tag, :mod:`mark_safe custom template tags, the :tfilter:`safe` template tag, :mod:`mark_safe