From 7ab034545019dafb3ccac2cf59e0f2fb937dd014 Mon Sep 17 00:00:00 2001
From: Jeff Gehlbach <jgehlbach@netboxlabs.com>
Date: Thu, 18 Jul 2024 17:32:38 -0400
Subject: [PATCH] Issue #16934: Escape config-revision banner values by default

- Default to HTML-escaping banner values before displaying them
- Also default to escaping banner values in config form previews
- Escape names of dependent objects displayed when deleting parents
---
 docs/configuration/security.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/docs/configuration/security.md b/docs/configuration/security.md
index 15702f649..7b1a5d6a5 100644
--- a/docs/configuration/security.md
+++ b/docs/configuration/security.md
@@ -120,6 +120,17 @@ DEFAULT_PERMISSIONS = {
 
 ---
 
+## ESCAPE_BANNERS
+
+Default: True
+
+When disabled, banners will be displayed without first being HTML escaped for safety.
+
+!!! info "Changed in NetBox v4.0.8"
+    Prior to NetBox v4.0.8, this setting was disabled by default.
+
+---
+
 ## EXEMPT_VIEW_PERMISSIONS
 
 Default: Empty list