Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Grammar fixes and content tweaks to XSS section of security docs.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16545 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 9896b0df73d5fe49c7c315ddcabbd25aa7c706b4 1 parent 99cd76e
@spookylukey spookylukey authored
Showing with 9 additions and 8 deletions.
  1. +9 −8 docs/topics/security.txt
View
17 docs/topics/security.txt
@@ -12,12 +12,13 @@ Cross site scripting (XSS) protection
.. highlightlang:: html+django
-XSS attacks allow a user to inject client side scripts into the
-browsers of other users. This is usually achieved by storing the malicious
-scripts to the database where it will be retrieved and displayed to other users
-or to get users to click a link containing variables containing scripts that
-will be rendered by the user's browser. However, XSS attacks can originate
-from any untrusted source of data such as cookies or web services.
+XSS attacks allow a user to inject client side scripts into the browsers of
+other users. This is usually achieved by storing the malicious scripts in the
+database where it will be retrieved and displayed to other users, or by getting
+users to click a link which will cause the attacker's javascript to be executred
+by the user's browser. However, XSS attacks can originate from any untrusted
+source of data, such as cookies or web services, whenever the data is not
+sufficiently sanitized before including in a page.
Using Django templates protects you against the majority of XSS attacks.
However, it is important to understand what protections it provides
@@ -44,8 +45,8 @@ In addition, if you are using the template system to output something other
than HTML, there may be entirely separate characters and words which require
escaping.
-You should also be very careful when storing HTML to the database especially
-when that HTML will be retrieved and displayed.
+You should also be very careful when storing HTML in the database, especially
+when that HTML is retrieved and displayed.
Cross site request forgery (CSRF) protection
============================================
Please sign in to comment.
Something went wrong with that request. Please try again.