You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -154,7 +154,19 @@ This is the appropriate choice when you want to treat input as text, for example
<p>You searched for \{{ search_term }}.</p>
```
Most modern templating engines automatically perform output encoding. For example, if you pass `<img src=x onerror=alert('XSS!')>` into the Django template above, it will be rendered as text:
Most modern templating engines automatically perform output encoding. For example, Django's templating engine performs the following conversions:
-`<` is converted to `<`
-`>` is converted to `>`
-`'` is converted to `'`
-`"` is converted to `"`
-`&` is converted to `&`
This means that if you pass `<img src=x onerror=alert('XSS!')>` into the Django template above, it will be rendered as text:
> You searched for <img src=x onerror=alert('XSS!')>.
