From 007d5b048d061266c696c5b72c6c4530382351a0 Mon Sep 17 00:00:00 2001
From: Matt Westcott <matt@west.co.tt>
Date: Thu, 7 Mar 2024 14:54:35 +0000
Subject: [PATCH] Release note for #11735

---
 CHANGELOG.txt        | 1 +
 CONTRIBUTORS.md      | 1 +
 docs/releases/6.1.md | 1 +
 3 files changed, 3 insertions(+)

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 047a6b8df4b5..ff9d66a1339f 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -31,6 +31,7 @@ Changelog
  * Docs: Fix formatting of `--purge-only` in `wagtail_update_image_renditions` management command section (Pranith Beeram)
  * Docs: Update template components documentation to better explain the usage of the Laces library (Tibor Leupold)
  * Docs: Update Sphinx theme to `6.3.0` with a fix for the missing favicon (Sage Abdullah)
+ * Docs: Document risk of XSS attacks on document upload (Matt Westcott, with thanks to Georgios Roumeliotis of TwelveSec for the original report)
  * Maintenance: Move RichText HTML whitelist parser to use the faster, built in `html.parser` (Jake Howard)
  * Maintenance: Remove duplicate 'path' in default_exclude_fields_in_copy (Ramchandra Shahi Thakuri)
  * Maintenance: Update unit tests to always use the faster, built in `html.parser` & remove `html5lib` dependency (Jake Howard)
diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md
index 16d1bb9d723f..0ca7ddd1aa8a 100644
--- a/CONTRIBUTORS.md
+++ b/CONTRIBUTORS.md
@@ -806,6 +806,7 @@
 * Pranith Beeram
 * Maranda Provance
 * Mark Niehues
+* Georgios Roumeliotis
 
 ## Translators
 
diff --git a/docs/releases/6.1.md b/docs/releases/6.1.md
index 6a29d606a1ab..718c617251ec 100644
--- a/docs/releases/6.1.md
+++ b/docs/releases/6.1.md
@@ -48,6 +48,7 @@ depth: 1
  * Fix formatting of `--purge-only` in [`wagtail_update_image_renditions`](wagtail_update_image_renditions) management command section (Pranith Beeram)
  * Update [template components](creating_template_components) documentation to better explain the usage of the Laces library (Tibor Leupold)
  * Update Sphinx theme to `6.3.0` with a fix for the missing favicon (Sage Abdullah)
+ * Document risk of XSS attacks on document upload (Matt Westcott, with thanks to Georgios Roumeliotis of TwelveSec for the original report)
 
 
 ### Maintenance