diff options
author | Gabriel Hurley <gabehr@gmail.com> | 2011-02-28 05:40:55 +0000 |
---|---|---|
committer | Gabriel Hurley <gabehr@gmail.com> | 2011-02-28 05:40:55 +0000 |
commit | a5f71e12643043da9bfdb554e0774c242f0f18b9 (patch) | |
tree | 31f4a491b06f0ad973ae4730b398349a6f87811b | |
parent | 32ac8d913e4074da99fe4588c1d0f959f500cd4a (diff) | |
download | django-a5f71e12643043da9bfdb554e0774c242f0f18b9.tar.gz |
[1.2.X] Fixed #15365 -- Added a warning to the `contrib.markup` docs reminding users that the marked up output will not be escaped.
Backport of [15673] from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@15674 bcc190cf-cafb-0310-a4f2-bffc1f526a37
-rw-r--r-- | docs/ref/contrib/markup.txt | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/docs/ref/contrib/markup.txt b/docs/ref/contrib/markup.txt index 92823132d6..d5f07f57ef 100644 --- a/docs/ref/contrib/markup.txt +++ b/docs/ref/contrib/markup.txt @@ -24,6 +24,13 @@ To activate these filters, add ``'django.contrib.markup'`` to your For more documentation, read the source code in :file:`django/contrib/markup/templatetags/markup.py`. +.. warning:: + + The output of markup filters is marked "safe" and will not be escaped when + rendered in a template. Always be careful to sanitize your inputs and make + sure you are not leaving yourself vulnerable to cross-site scripting or + other types of attacks. + .. _Textile: http://en.wikipedia.org/wiki/Textile_%28markup_language%29 .. _Markdown: http://en.wikipedia.org/wiki/Markdown .. _reST (reStructured Text): http://en.wikipedia.org/wiki/ReStructuredText |