[1.6.x] Fixed #4991 -- Emphasized XSS ramifications of help_text not being escaped.

Backport of 5dbe2a9431 from master
2025-04-19 06:44:36 +00:00 · 2014-08-19 06:09:29 -04:00 · 2014-08-19 06:09:29 -04:00 · 190d81179f
commit 190d81179f
parent 75d7bb8d43
1 changed files with 3 additions and 1 deletions
--- a/docs/ref/models/fields.txt
+++ b/docs/ref/models/fields.txt
@ -240,7 +240,9 @@ desire. For example::
    help_text="Please use the following format: <em>YYYY-MM-DD</em>."

 Alternatively you can use plain text and
-``django.utils.html.escape()`` to escape any HTML special characters.
+``django.utils.html.escape()`` to escape any HTML special characters. Ensure
+that you escape any help text that may come from untrusted users to avoid a
+cross-site scripting attack.

 ``primary_key``
 ---------------