Re: [Django] #37131: Improvements to the security topic

22 views
Skip to first unread message

Django

unread,
Jun 1, 2026, 8:39:13 AMJun 1
to django-...@googlegroups.com
#37131: Improvements to the security topic
--------------------------------------+------------------------------------
Reporter: blighj | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Tim Graham):

* stage: Unreviewed => Accepted

--
Ticket URL: <https://code.djangoproject.com/ticket/37131#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Jun 13, 2026, 8:04:15 AMJun 13
to django-...@googlegroups.com
#37131: Improvements to the security topic
-------------------------------------+-------------------------------------
Reporter: blighj | Owner: B V
Type: | HITESH SAI
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by B V HITESH SAI):

* owner: (none) => B V HITESH SAI
* status: new => assigned

--
Ticket URL: <https://code.djangoproject.com/ticket/37131#comment:3>

Django

unread,
Jun 13, 2026, 8:10:41 AMJun 13
to django-...@googlegroups.com
#37131: Improvements to the security topic
--------------------------------------+------------------------------------
Reporter: blighj | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by B V HITESH SAI):

* owner: B V HITESH SAI => (none)
* status: assigned => new

--
Ticket URL: <https://code.djangoproject.com/ticket/37131#comment:4>

Django

unread,
Jun 15, 2026, 1:54:02 PMJun 15
to django-...@googlegroups.com
#37131: Improvements to the security topic
--------------------------------------+------------------------------------
Reporter: blighj | Owner: Pranith
Type: Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Pranith):

* owner: (none) => Pranith
* status: new => assigned

--
Ticket URL: <https://code.djangoproject.com/ticket/37131#comment:5>

Django

unread,
Jun 15, 2026, 2:00:43 PMJun 15
to django-...@googlegroups.com
#37131: Improvements to the security topic
--------------------------------------+------------------------------------
Reporter: blighj | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Pranith):

* owner: Pranith => (none)
* status: assigned => new

--
Ticket URL: <https://code.djangoproject.com/ticket/37131#comment:6>

Django

unread,
Jun 23, 2026, 2:33:48 PMJun 23
to django-...@googlegroups.com
#37131: Improvements to the security topic
--------------------------------------+------------------------------------
Reporter: blighj | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Comment (by Juan Pedro Roldán):

Hi,

I reviewed this ticket and the attached `security_xss.patch` as a new
contributor looking for documentation-related tasks.

From a reader's perspective, the proposed changes seem useful because they
make the XSS section easier to follow. In particular, separating the
explanation into shorter paragraphs and listing common XSS scenarios makes
the documentation clearer than the current single-paragraph explanation.

I also found the added clarification about Django templates' autoescaping
and its limitations helpful, especially the example showing why leaving an
HTML attribute unquoted can still be risky.

I don't have enough experience with Django's security documentation to
mark this as ready for check-in, but the wording in the patch seems
understandable and useful from a new contributor/user perspective.

I hope this review helps with the triage process.
--
Ticket URL: <https://code.djangoproject.com/ticket/37131#comment:7>

Django

unread,
Jun 23, 2026, 3:05:57 PMJun 23
to django-...@googlegroups.com
#37131: Improvements to the security topic
--------------------------------------+------------------------------------
Reporter: blighj | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Comment (by blighj):

The ticket is not assigned, if you wanted you could take it on, create a
PR out of the patch?
--
Ticket URL: <https://code.djangoproject.com/ticket/37131#comment:8>

Django

unread,
Jun 26, 2026, 2:17:04 AMJun 26
to django-...@googlegroups.com
#37131: Improvements to the security topic
-------------------------------------+-------------------------------------
Reporter: blighj | Owner: VIZZARD-X
Type: | Status: assigned
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by VIZZARD-X):

* owner: (none) => VIZZARD-X
* status: new => assigned

Comment:

Thank you for the patch @blighj. I'm open to take this, will be opening a
PR for this shortly.
--
Ticket URL: <https://code.djangoproject.com/ticket/37131#comment:9>

Django

unread,
Jul 6, 2026, 11:55:21 AM (10 days ago) Jul 6
to django-...@googlegroups.com
#37131: Improvements to the security topic
-------------------------------------+-------------------------------------
Reporter: blighj | Owner: VIZZARD-X
Type: | Status: assigned
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by VIZZARD-X):

The PR is up and ready for review:
[https://github.com/django/django/pull/21587 PR]

I've created the pull request based on the attached `security_xss.patch`,
thanks to James (@blighj) for the initial patch and for breaking the
documentation down so clearly and for others for their reviews.
--
Ticket URL: <https://code.djangoproject.com/ticket/37131#comment:10>

Django

unread,
Jul 12, 2026, 9:13:07 AM (4 days ago) Jul 12
to django-...@googlegroups.com
#37131: Improvements to the security topic
-------------------------------------+-------------------------------------
Reporter: blighj | Owner: VIZZARD-X
Type: | Status: assigned
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by James Beard):

* needs_better_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/37131#comment:11>

Django

unread,
Jul 12, 2026, 10:42:59 AM (4 days ago) Jul 12
to django-...@googlegroups.com
#37131: Improvements to the security topic
-------------------------------------+-------------------------------------
Reporter: blighj | Owner: VIZZARD-X
Type: | Status: assigned
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by VIZZARD-X):

* needs_better_patch: 1 => 0

--
Ticket URL: <https://code.djangoproject.com/ticket/37131#comment:12>

Django

unread,
Jul 12, 2026, 8:35:00 PM (3 days ago) Jul 12
to django-...@googlegroups.com
#37131: Improvements to the security topic
-------------------------------------+-------------------------------------
Reporter: blighj | Owner: VIZZARD-X
Type: | Status: assigned
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by James Beard):

* stage: Accepted => Ready for checkin

Comment:

Provided some feedback which has been incorporated. Touches on the main
mechanisms of XSS and where gotchas might exist when working with Django.
--
Ticket URL: <https://code.djangoproject.com/ticket/37131#comment:13>

Django

unread,
Jul 13, 2026, 5:16:09 PM (2 days ago) Jul 13
to django-...@googlegroups.com
#37131: Improvements to the security topic
-------------------------------------+-------------------------------------
Reporter: blighj | Owner: VIZZARD-X
Type: | Status: assigned
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):

* needs_better_patch: 0 => 1
* stage: Ready for checkin => Accepted

--
Ticket URL: <https://code.djangoproject.com/ticket/37131#comment:14>

Django

unread,
Jul 14, 2026, 9:46:12 AM (2 days ago) Jul 14
to django-...@googlegroups.com
#37131: Improvements to the security topic
-------------------------------------+-------------------------------------
Reporter: blighj | Owner: VIZZARD-X
Type: | Status: assigned
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by VIZZARD-X):

* needs_better_patch: 1 => 0

Comment:

All the changes are implemented as per the reviews.
Thank you Daniele Procida and James Bligh for the initial patches.
Thanks James Beard and Jacob Walls for the reviews
--
Ticket URL: <https://code.djangoproject.com/ticket/37131#comment:15>

Django

unread,
Jul 14, 2026, 11:38:00 AM (2 days ago) Jul 14
to django-...@googlegroups.com
#37131: Improvements to the security topic
-------------------------------------+-------------------------------------
Reporter: blighj | Owner: VIZZARD-X
Type: | Status: assigned
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):

* stage: Accepted => Ready for checkin

--
Ticket URL: <https://code.djangoproject.com/ticket/37131#comment:16>

Django

unread,
Jul 14, 2026, 11:38:27 AM (2 days ago) Jul 14
to django-...@googlegroups.com
#37131: Improvements to the security topic
-------------------------------------+-------------------------------------
Reporter: blighj | Owner: VIZZARD-X
Type: | Status: closed
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls <jacobtylerwalls@…>):

* resolution: => fixed
* status: assigned => closed

Comment:

In [changeset:"065a4a4b8d55451c4ffba02e447faf9cf5e8d807" 065a4a4]:
{{{#!CommitTicketReference repository=""
revision="065a4a4b8d55451c4ffba02e447faf9cf5e8d807"
Fixed #37131 -- Improved XSS section in security documentation.

Co-authored-by: Daniele Procida <evi...@users.noreply.github.com>
Co-authored-by: James Bligh <bli...@users.noreply.github.com>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/37131#comment:17>

Django

unread,
Jul 14, 2026, 11:39:05 AM (2 days ago) Jul 14
to django-...@googlegroups.com
#37131: Improvements to the security topic
-------------------------------------+-------------------------------------
Reporter: blighj | Owner: VIZZARD-X
Type: | Status: closed
Cleanup/optimization |
Component: Documentation | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jacob Walls <jacobtylerwalls@…>):

In [changeset:"97a89b5a09b036b6bf6151e27f47001220a33938" 97a89b5a]:
{{{#!CommitTicketReference repository=""
revision="97a89b5a09b036b6bf6151e27f47001220a33938"
[6.1.x] Fixed #37131 -- Improved XSS section in security documentation.

Co-authored-by: Daniele Procida <evi...@users.noreply.github.com>
Co-authored-by: James Bligh <bli...@users.noreply.github.com>

Backport of 065a4a4b8d55451c4ffba02e447faf9cf5e8d807 from main.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/37131#comment:18>
Reply all
Reply to author
Forward
0 new messages