From 571bab98879578b6ef54ee654ead06736855767d Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Wed, 27 Sep 2023 19:09:10 +0200 Subject: [PATCH] Added warning about flatpages and untrusted users. --- docs/ref/contrib/flatpages.txt | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/ref/contrib/flatpages.txt b/docs/ref/contrib/flatpages.txt index d68257bfd1..c82fb5de85 100644 --- a/docs/ref/contrib/flatpages.txt +++ b/docs/ref/contrib/flatpages.txt @@ -164,6 +164,13 @@ For more on middleware, read the :doc:`middleware docs How to add, change and delete flatpages ======================================= +.. warning:: + + Permissions to add or edit flatpages should be restricted to trusted users. + Flatpages are defined by raw HTML and are **not sanitized** by Django. As a + consequence, a malicious flatpage can lead to various security + vulnerabilities, including permission escalation. + .. _flatpages-admin: Via the admin interface