From dae052d823dd66edcd0dd7fe5542d2c6a3a498d0 Mon Sep 17 00:00:00 2001
From: AP Jama <apjama@icloud.com>
Date: Thu, 1 Jun 2023 10:23:53 +0000
Subject: [PATCH] [4.2.x] Fixed #34595 -- Doc'd that format_string arg of
 format_html() is not escaped.

Backport of 4037223d0f12c44ecd6f369ccbabcbd279a1bdbc from main
---
 docs/ref/utils.txt | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt
index 22d52acbfe..b2b826684d 100644
--- a/docs/ref/utils.txt
+++ b/docs/ref/utils.txt
@@ -617,8 +617,10 @@ escaping HTML.
 .. function:: format_html(format_string, *args, **kwargs)
 
     This is similar to :meth:`str.format`, except that it is appropriate for
-    building up HTML fragments. All args and kwargs are passed through
+    building up HTML fragments. The first argument ``format_string`` is not
+    escaped but all other args and kwargs are passed through
     :func:`conditional_escape` before being passed to ``str.format()``.
+    Finally, the output has :func:`~django.utils.safestring.mark_safe` applied.
 
     For the case of building up small HTML fragments, this function is to be
     preferred over string interpolation using ``%`` or ``str.format()``