From 190d81179f5eba6f2a1042321f0d39f04860163a Mon Sep 17 00:00:00 2001
From: Tim Graham <timograham@gmail.com>
Date: Tue, 19 Aug 2014 06:09:29 -0400
Subject: [PATCH] [1.6.x] Fixed #4991 -- Emphasized XSS ramifications of
 help_text not being escaped.

Backport of 5dbe2a9431 from master
---
 docs/ref/models/fields.txt | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/ref/models/fields.txt b/docs/ref/models/fields.txt
index bda884697c..45f55d8cb0 100644
--- a/docs/ref/models/fields.txt
+++ b/docs/ref/models/fields.txt
@@ -240,7 +240,9 @@ desire. For example::
     help_text="Please use the following format: <em>YYYY-MM-DD</em>."
 
 Alternatively you can use plain text and
-``django.utils.html.escape()`` to escape any HTML special characters.
+``django.utils.html.escape()`` to escape any HTML special characters. Ensure
+that you escape any help text that may come from untrusted users to avoid a
+cross-site scripting attack.
 
 ``primary_key``
 ---------------