Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Grammar fixes and content tweaks to XSS section of security docs.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16545 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 9896b0df73d5fe49c7c315ddcabbd25aa7c706b4 1 parent 99cd76e
@spookylukey spookylukey authored
Showing with 9 additions and 8 deletions.
  1. +9 −8 docs/topics/security.txt
View
17 docs/topics/security.txt
@@ -12,12 +12,13 @@ Cross site scripting (XSS) protection
.. highlightlang:: html+django
-XSS attacks allow a user to inject client side scripts into the
-browsers of other users. This is usually achieved by storing the malicious
-scripts to the database where it will be retrieved and displayed to other users
-or to get users to click a link containing variables containing scripts that
-will be rendered by the user's browser. However, XSS attacks can originate
-from any untrusted source of data such as cookies or web services.
+XSS attacks allow a user to inject client side scripts into the browsers of
+other users. This is usually achieved by storing the malicious scripts in the
+database where it will be retrieved and displayed to other users, or by getting
+users to click a link which will cause the attacker's javascript to be executred
+by the user's browser. However, XSS attacks can originate from any untrusted
+source of data, such as cookies or web services, whenever the data is not
+sufficiently sanitized before including in a page.
Using Django templates protects you against the majority of XSS attacks.
However, it is important to understand what protections it provides
@@ -44,8 +45,8 @@ In addition, if you are using the template system to output something other
than HTML, there may be entirely separate characters and words which require
escaping.
-You should also be very careful when storing HTML to the database especially
-when that HTML will be retrieved and displayed.
+You should also be very careful when storing HTML in the database, especially
+when that HTML is retrieved and displayed.
Cross site request forgery (CSRF) protection
============================================
Please sign in to comment.
Something went wrong with that request. Please try again.