mirror of
				https://github.com/django/django.git
				synced 2025-10-25 06:36:07 +00:00 
			
		
		
		
	Fixed #4991 -- Emphasized XSS ramifications of help_text not being escaped.
This commit is contained in:
		| @@ -260,7 +260,9 @@ desire. For example:: | |||||||
|     help_text="Please use the following format: <em>YYYY-MM-DD</em>." |     help_text="Please use the following format: <em>YYYY-MM-DD</em>." | ||||||
|  |  | ||||||
| Alternatively you can use plain text and | Alternatively you can use plain text and | ||||||
| ``django.utils.html.escape()`` to escape any HTML special characters. | ``django.utils.html.escape()`` to escape any HTML special characters. Ensure | ||||||
|  | that you escape any help text that may come from untrusted users to avoid a | ||||||
|  | cross-site scripting attack. | ||||||
|  |  | ||||||
| ``primary_key`` | ``primary_key`` | ||||||
| --------------- | --------------- | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user