1
0
mirror of https://github.com/django/django.git synced 2025-10-24 22:26:08 +00:00

Fixed #23561 -- Corrected a security doc example that requires an unquoted HTML attribute.

Thanks "djbug" for the report.
This commit is contained in:
Carl Meyer
2014-09-26 11:06:49 -06:00
parent ef5f9b6ae8
commit d16bc7f0e4

View File

@@ -31,11 +31,11 @@ protect the following:
.. code-block:: html+django .. code-block:: html+django
<style class="{{ var }}">...</style> <style class={{ var }}>...</style>
If ``var`` is set to ``'class1 onmouseover=javascript:func()'``, this can result If ``var`` is set to ``'class1 onmouseover=javascript:func()'``, this can result
in unauthorized JavaScript execution, depending on how the browser renders in unauthorized JavaScript execution, depending on how the browser renders
imperfect HTML. imperfect HTML. (Quoting the attribute value would fix this case.)
It is also important to be particularly careful when using ``is_safe`` with It is also important to be particularly careful when using ``is_safe`` with
custom template tags, the :tfilter:`safe` template tag, :mod:`mark_safe custom template tags, the :tfilter:`safe` template tag, :mod:`mark_safe