Fixed #23561 -- Corrected a security doc example that requires an unquoted HTML attribute.

Thanks "djbug" for the report.
2025-10-31 09:41:08 +00:00 · 2014-09-26 11:06:49 -06:00
parent ef5f9b6ae8
commit d16bc7f0e4
1 changed files with 2 additions and 2 deletions
--- a/docs/topics/security.txt
+++ b/docs/topics/security.txt
@@ -31,11 +31,11 @@ protect the following:

 .. code-block:: html+django

-    <style class="{{ var }}">...</style>
+    <style class={{ var }}>...</style>

 If ``var`` is set to ``'class1 onmouseover=javascript:func()'``, this can result
 in unauthorized JavaScript execution, depending on how the browser renders
-imperfect HTML.
+imperfect HTML. (Quoting the attribute value would fix this case.)

 It is also important to be particularly careful when using ``is_safe`` with
 custom template tags, the :tfilter:`safe` template tag, :mod:`mark_safe