Opened 6 weeks ago

Last modified 5 days ago

#37131 assigned Cleanup/optimization

Improvements to the security topic

Reported by: blighj Owned by: VIZZARD-X
Component: Documentation Version: 6.0
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

#28592 Had an original PR from Daniele, that improved the CSRF documentation, this has since been broken down and merged in smaller PRs. The remaining changes from the original PR do not relate to CSRF, they consist of a new note at the top and rewording of the XSS documentation. These changes can be considered on their own merit, rather than as part of the old ticket.

I've extracted the changes into the attached patch.

Attachments (1)

security_xss.patch (5.4 KB ) - added by blighj 6 weeks ago.

Download all attachments as: .zip

Change History (11)

by blighj, 6 weeks ago

Attachment: security_xss.patch added

comment:1 by blighj, 6 weeks ago

Summary: Improvements to XSS section of security topicImprovements to the security topic

comment:2 by Tim Graham, 6 weeks ago

Triage Stage: UnreviewedAccepted

comment:3 by B V HITESH SAI, 4 weeks ago

Owner: set to B V HITESH SAI
Status: newassigned

comment:4 by B V HITESH SAI, 4 weeks ago

Owner: B V HITESH SAI removed
Status: assignednew

comment:5 by Pranith, 4 weeks ago

Owner: set to Pranith
Status: newassigned

comment:6 by Pranith, 4 weeks ago

Owner: Pranith removed
Status: assignednew

comment:7 by Juan Pedro Roldán, 3 weeks ago

Hi,

I reviewed this ticket and the attached security_xss.patch as a new contributor looking for documentation-related tasks.

From a reader's perspective, the proposed changes seem useful because they make the XSS section easier to follow. In particular, separating the explanation into shorter paragraphs and listing common XSS scenarios makes the documentation clearer than the current single-paragraph explanation.

I also found the added clarification about Django templates' autoescaping and its limitations helpful, especially the example showing why leaving an HTML attribute unquoted can still be risky.

I don't have enough experience with Django's security documentation to mark this as ready for check-in, but the wording in the patch seems understandable and useful from a new contributor/user perspective.

I hope this review helps with the triage process.

comment:8 by blighj, 3 weeks ago

The ticket is not assigned, if you wanted you could take it on, create a PR out of the patch?

comment:9 by VIZZARD-X, 2 weeks ago

Owner: set to VIZZARD-X
Status: newassigned

Thank you for the patch @blighj. I'm open to take this, will be opening a PR for this shortly.

comment:10 by VIZZARD-X, 5 days ago

The PR is up and ready for review: PR

I've created the pull request based on the attached security_xss.patch, thanks to James (@blighj) for the initial patch and for breaking the documentation down so clearly and for others for their reviews.

Note: See TracTickets for help on using tickets.
Back to Top