From 4f095a14e219502cbb51c3d4877c4c33ea2070db Mon Sep 17 00:00:00 2001 From: wbamberg Date: Fri, 13 Dec 2024 11:30:08 -0800 Subject: [PATCH] Update files/en-us/web/security/attacks/xss/index.md Co-authored-by: Hamish Willee --- files/en-us/web/security/attacks/xss/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/en-us/web/security/attacks/xss/index.md b/files/en-us/web/security/attacks/xss/index.md index 87fd9e359e95fd7..4eb48fb594b0bbd 100644 --- a/files/en-us/web/security/attacks/xss/index.md +++ b/files/en-us/web/security/attacks/xss/index.md @@ -202,7 +202,7 @@ However, suppose the template is like this:
``` -The `my_input` variable will be treated as an HTML attribute by the browser. In this case, if `my_input` is `onmouseover="alert('XSS')"`, then the output encoding that Django provides won't prevent the attack. +In this context the browser will treat the `my_input` variable as an HTML attribute. If `my_input` is `onmouseover="alert('XSS')"`, the output encoding provided by Django won't prevent the attack. The browser uses different rules to process different parts of a web page — HTML elements and their content, HTML attributes, inline styles, inline scripts. The type of encoding that needs to be done is different depending on the context in which the input is being interpolated.