Add more docs around autoescape changes

diff --git a/website/sphinx/overview.rst b/website/sphinx/overview.rst
index c33e49933993a4691bacd5ed9abeb3552c858d33..2b8c2d6fa4152eb7de444758e638ab840109aa4f 100644 (file)
--- a/website/sphinx/overview.rst
+++ b/website/sphinx/overview.rst
@@ -317,6 +317,14 @@ replacing ``{{ ... }}`` with ``{% raw ...%}``. Additionally, in each of
 these places the name of an alternative escaping function may be used
 instead of ``None``.
 
+Note that while Tornado's automatic escaping is helpful in avoiding
+XSS vulnerabilities, it is not sufficient in all cases.  Expressions
+that appear in certain locations, such as in Javascript or CSS, may need
+additional escaping.  Additionally, either care must be taken to always
+use double quotes and ``xhtml_escape`` in HTML attributes that may contain
+untrusted content, or a separate escaping function must be used for
+attributes (see e.g. http://wonko.com/post/html-escaping)
+
 Cookies and secure cookies
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 

diff --git a/website/sphinx/releases/v2.0.0.rst b/website/sphinx/releases/v2.0.0.rst
index f53432b9d9b08970181429ca83e9c723638c45a0..bc8aa3e740294d159cfc266baeba51e097fb7477 100644 (file)
--- a/website/sphinx/releases/v2.0.0.rst
+++ b/website/sphinx/releases/v2.0.0.rst
@@ -17,6 +17,8 @@ Jun 21, 2011
       a previous release of Tornado must either disable autoescaping or adapt
       their templates to work with it.  For most applications, the simplest
       way to do this is to pass autoescape=None to the Application constructor.
+      Note that this affects certain built-in methods, e.g. xsrf_form_html
+      and linkify, which must now be called with {% raw %} instead of {}
     * Applications that wish to continue using curl_httpclient instead of
       simple_httpclient may do so by calling
         AsyncHTTPClient.configure("tornado.curl_httpclient.CurlAsyncHTTPClient")