mirror of
https://github.com/django/django.git
synced 2025-10-24 06:06:09 +00:00
Fixed #27678 -- Warned that the template system isn't safe against untrusted authors.
This commit is contained in:
@@ -36,6 +36,13 @@ For historical reasons, both the generic support for template engines and the
|
||||
implementation of the Django template language live in the ``django.template``
|
||||
namespace.
|
||||
|
||||
.. warning::
|
||||
|
||||
The template system isn't safe against untrusted template authors. For
|
||||
example, a site shouldn't allow its users to provide their own templates,
|
||||
since template authors can do things like perform XSS attacks and access
|
||||
properties of template variables that may contain sensitive information.
|
||||
|
||||
.. _template-engines:
|
||||
|
||||
Support for template engines
|
||||
|
Reference in New Issue
Block a user