mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 01:25:32 +00:00
Code Issues 32 Releases Wiki Activity

[1.11.x] Fixed #27678 -- Warned that the template system isn't safe against untrusted authors.

Browse Source 
Backport of d2e40dd8c2 from master
This commit is contained in:
andrewnester
2017-01-09 14:20:57 +03:00
committed by Tim Graham
parent a364fb3810
commit d9f2887645
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/topics/templates.txt
View File

@@ -36,6 +36,13 @@ For historical reasons, both the generic support for template engines and the
implementation of the Django template language live in the ``django.template`` implementation of the Django template language live in the ``django.template``
namespace. namespace.
.. warning::
The template system isn't safe against untrusted template authors. For
example, a site shouldn't allow its users to provide their own templates,
since template authors can do things like perform XSS attacks and access
properties of template variables that may contain sensitive information.
.. _template-engines: .. _template-engines:
Support for template engines Support for template engines