5 år sedan · ff1b19da67
--- a/docs/ref/csrf.txt
+++ b/docs/ref/csrf.txt
@@ -298,10 +298,11 @@ This ensures that only forms that have originated from trusted domains can be
 
				 used to POST data back.
			
 
				 
			
 
				 It deliberately ignores GET requests (and other requests that are defined as
			
 
				-'safe' by :rfc:`7231`). These requests ought never to have any potentially
			
 
				-dangerous side effects , and so a CSRF attack with a GET request ought to be
			
 
				-harmless. :rfc:`7231` defines POST, PUT, and DELETE as 'unsafe', and all other
			
 
				-methods are also assumed to be unsafe, for maximum protection.
			
 
				+'safe' by :rfc:`7231#section-4.2.1`). These requests ought never to have any
			
 
				+potentially dangerous side effects, and so a CSRF attack with a GET request
			
 
				+ought to be harmless. :rfc:`7231#section-4.2.1` defines POST, PUT, and DELETE
			
 
				+as 'unsafe', and all other methods are also assumed to be unsafe, for maximum
			
 
				+protection.
			
 
				 
			
 
				 The CSRF protection cannot protect against man-in-the-middle attacks, so use
			
 
				 :ref:`HTTPS <security-recommendation-ssl>` with
			
--- a/docs/ref/models/instances.txt
+++ b/docs/ref/models/instances.txt
@@ -755,8 +755,8 @@ track down every place that the URL might be created. Specify it once, in
 
				 
			
 
				 .. note::
			
 
				     The string you return from ``get_absolute_url()`` **must** contain only
			
 
				-    ASCII characters (required by the URI specification, :rfc:`2396`) and be
			
 
				-    URL-encoded, if necessary.
			
 
				+    ASCII characters (required by the URI specification, :rfc:`2396#section-2`)
			
 
				+    and be URL-encoded, if necessary.
			
 
				 
			
 
				     Code and templates calling ``get_absolute_url()`` should be able to use the
			
 
				     result directly without any further processing. You may wish to use the
			
--- a/docs/ref/request-response.txt
+++ b/docs/ref/request-response.txt
@@ -823,9 +823,9 @@ Methods
 
				       JavaScript from having access to the cookie.
			
 
				 
			
 
				       HttpOnly_ is a flag included in a Set-Cookie HTTP response header. It's
			
 
				-      part of the :rfc:`6265` standard for cookies and can be a useful way to
			
 
				-      mitigate the risk of a client-side script accessing the protected cookie
			
 
				-      data.
			
 
				+      part of the :rfc:`RFC 6265 <6265#section-4.1.2.6>` standard for cookies
			
 
				+      and can be a useful way to mitigate the risk of a client-side script
			
 
				+      accessing the protected cookie data.
			
 
				     * Use ``samesite='Strict'`` or ``samesite='Lax'`` to tell the browser not
			
 
				       to send this cookie when performing a cross-origin request. `SameSite`_
			
 
				       isn't supported by all browsers, so it's not a replacement for Django's
			
@@ -836,11 +836,11 @@ Methods
 
				 
			
 
				     .. warning::
			
 
				 
			
 
				-        :rfc:`6265` states that user agents should support cookies of at least
			
 
				-        4096 bytes. For many browsers this is also the maximum size. Django
			
 
				-        will not raise an exception if there's an attempt to store a cookie of
			
 
				-        more than 4096 bytes, but many browsers will not set the cookie
			
 
				-        correctly.
			
 
				+        :rfc:`RFC 6265 <6265#section-6.1>` states that user agents should
			
 
				+        support cookies of at least 4096 bytes. For many browsers this is also
			
 
				+        the maximum size. Django will not raise an exception if there's an
			
 
				+        attempt to store a cookie of more than 4096 bytes, but many browsers
			
 
				+        will not set the cookie correctly.
			
 
				 
			
 
				 .. method:: HttpResponse.set_signed_cookie(key, value, salt='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False, samesite=None)
			
 
				 
			
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -2759,7 +2759,7 @@ preference to the ``Host`` header. This should only be enabled if a proxy
 
				 which sets this header is in use.
			
 
				 
			
 
				 This setting takes priority over :setting:`USE_X_FORWARDED_PORT`. Per
			
 
				-:rfc:`7239#page-7`, the ``X-Forwarded-Host`` header can include the port
			
 
				+:rfc:`7239#section-5.3`, the ``X-Forwarded-Host`` header can include the port
			
 
				 number, in which case you shouldn't use :setting:`USE_X_FORWARDED_PORT`.
			
 
				 
			
 
				 .. setting:: USE_X_FORWARDED_PORT
			
@@ -3108,8 +3108,8 @@ Whether to use ``HttpOnly`` flag on the session cookie. If this is set to
 
				 cookie.
			
 
				 
			
 
				 HttpOnly_ is a flag included in a Set-Cookie HTTP response header. It's part of
			
 
				-the :rfc:`6265` standard for cookies and can be a useful way to mitigate the
			
 
				-risk of a client-side script accessing the protected cookie data.
			
 
				+the :rfc:`6265#section-4.1.2.6` standard for cookies and can be a useful way to
			
 
				+mitigate the risk of a client-side script accessing the protected cookie data.
			
 
				 
			
 
				 This makes it less trivial for an attacker to escalate a cross-site scripting
			
 
				 vulnerability into full hijacking of a user's session. There aren't many good
			
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -1417,7 +1417,8 @@ Format character  Description                               Example output
 
				                   the "c" formatter will not add timezone
			
 
				                   offset if value is a naive datetime
			
 
				                   (see :class:`datetime.tzinfo`).
			
 
				-``r``             :rfc:`5322` formatted date.               ``'Thu, 21 Dec 2000 16:01:07 +0200'``
			
 
				+``r``             :rfc:`RFC 5322 <5322#section-3.3>`        ``'Thu, 21 Dec 2000 16:01:07 +0200'``
			
 
				+                  formatted date.
			
 
				 ``U``             Seconds since the Unix Epoch
			
 
				                   (January 1 1970 00:00:00 UTC).
			
 
				 ================  ========================================  =====================
			
--- a/docs/ref/utils.txt
+++ b/docs/ref/utils.txt
@@ -713,8 +713,8 @@ escaping HTML.
 
				 
			
 
				 .. function:: http_date(epoch_seconds=None)
			
 
				 
			
 
				-    Formats the time to match the :rfc:`1123` date format as specified by HTTP
			
 
				-    :rfc:`7231#section-7.1.1.1`.
			
 
				+    Formats the time to match the :rfc:`1123#section-5.2.14` date format as
			
 
				+    specified by HTTP :rfc:`7231#section-7.1.1.1`.
			
 
				 
			
 
				     Accepts a floating point number expressed in seconds since the epoch in
			
 
				     UTC--such as that outputted by ``time.time()``. If set to ``None``,
			
--- a/docs/ref/validators.txt
+++ b/docs/ref/validators.txt
@@ -154,7 +154,8 @@ to, or in lieu of custom ``field.clean()`` methods.
 
				     an error code of ``'invalid'`` if it doesn't.
			
 
				 
			
 
				     Loopback addresses and reserved IP spaces are considered valid. Literal
			
 
				-    IPv6 addresses (:rfc:`2732`) and unicode domains are both supported.
			
 
				+    IPv6 addresses (:rfc:`3986#section-3.2.2`) and unicode domains are both
			
 
				+    supported.
			
 
				 
			
 
				     In addition to the optional arguments of its parent :class:`RegexValidator`
			
 
				     class, ``URLValidator`` accepts an extra optional attribute: