mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2024-12-22 17:16:24 +00:00
Code Issues 25 Releases Wiki Activity

Added warning about flatpages and untrusted users.

Browse Source
This commit is contained in:
Mariusz Felisiak 2023-09-27 19:09:10 +02:00 committed by GitHub
parent f9e9526800
commit 571bab9887
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/ref/contrib/flatpages.txt
View File

@ -164,6 +164,13 @@ For more on middleware, read the :doc:`middleware docs
How to add, change and delete flatpages How to add, change and delete flatpages
======================================= =======================================
.. warning::
Permissions to add or edit flatpages should be restricted to trusted users.
Flatpages are defined by raw HTML and are **not sanitized** by Django. As a
consequence, a malicious flatpage can lead to various security
vulnerabilities, including permission escalation.
.. _flatpages-admin: .. _flatpages-admin:
Via the admin interface Via the admin interface