Author: lukeplant Date: 2011-07-17 07:17:26 -0700 (Sun, 17 Jul 2011) New Revision: 16545
Modified: django/trunk/docs/topics/security.txt Log: Grammar fixes and content tweaks to XSS section of security docs. Modified: django/trunk/docs/topics/security.txt =================================================================== --- django/trunk/docs/topics/security.txt 2011-07-14 19:40:30 UTC (rev 16544) +++ django/trunk/docs/topics/security.txt 2011-07-17 14:17:26 UTC (rev 16545) @@ -12,12 +12,13 @@ .. highlightlang:: html+django -XSS attacks allow a user to inject client side scripts into the -browsers of other users. This is usually achieved by storing the malicious -scripts to the database where it will be retrieved and displayed to other users -or to get users to click a link containing variables containing scripts that -will be rendered by the user's browser. However, XSS attacks can originate -from any untrusted source of data such as cookies or web services. +XSS attacks allow a user to inject client side scripts into the browsers of +other users. This is usually achieved by storing the malicious scripts in the +database where it will be retrieved and displayed to other users, or by getting +users to click a link which will cause the attacker's javascript to be executred +by the user's browser. However, XSS attacks can originate from any untrusted +source of data, such as cookies or web services, whenever the data is not +sufficiently sanitized before including in a page. Using Django templates protects you against the majority of XSS attacks. However, it is important to understand what protections it provides @@ -44,8 +45,8 @@ than HTML, there may be entirely separate characters and words which require escaping. -You should also be very careful when storing HTML to the database especially -when that HTML will be retrieved and displayed. +You should also be very careful when storing HTML in the database, especially +when that HTML is retrieved and displayed. Cross site request forgery (CSRF) protection ============================================ -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com. To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.
