[2.2.x] Fixed #31029 -- Used more specific links to RFCs.

Backport of ff1b19d from master

Author: bmispelon

docs/ref/csrf.txt

@@ -298,10 +298,11 @@ This ensures that only forms that have originated from trusted domains can be
 used to POST data back.
 
 It deliberately ignores GET requests (and other requests that are defined as
-'safe' by :rfc:`7231`). These requests ought never to have any potentially
-dangerous side effects , and so a CSRF attack with a GET request ought to be
-harmless. :rfc:`7231` defines POST, PUT, and DELETE as 'unsafe', and all other
-methods are also assumed to be unsafe, for maximum protection.
+'safe' by :rfc:`7231#section-4.2.1`). These requests ought never to have any
+potentially dangerous side effects, and so a CSRF attack with a GET request
+ought to be harmless. :rfc:`7231#section-4.2.1` defines POST, PUT, and DELETE
+as 'unsafe', and all other methods are also assumed to be unsafe, for maximum
+protection.
 
 The CSRF protection cannot protect against man-in-the-middle attacks, so use
 :ref:`HTTPS <security-recommendation-ssl>` with

docs/ref/models/instances.txt

@@ -755,8 +755,8 @@ in ``get_absolute_url()`` and have all your other code call that one place.
 
 .. note::
     The string you return from ``get_absolute_url()`` **must** contain only
-    ASCII characters (required by the URI specification, :rfc:`2396`) and be
-    URL-encoded, if necessary.
+    ASCII characters (required by the URI specification, :rfc:`2396#section-2`)
+    and be URL-encoded, if necessary.
 
     Code and templates calling ``get_absolute_url()`` should be able to use the
     result directly without any further processing. You may wish to use the

docs/ref/request-response.txt

@@ -809,9 +809,9 @@ Methods
       JavaScript from having access to the cookie.
 
       HttpOnly_ is a flag included in a Set-Cookie HTTP response header. It's
-      part of the :rfc:`6265` standard for cookies and can be a useful way to
-      mitigate the risk of a client-side script accessing the protected cookie
-      data.
+      part of the :rfc:`RFC 6265 <6265#section-4.1.2.6>` standard for cookies
+      and can be a useful way to mitigate the risk of a client-side script
+      accessing the protected cookie data.
     * Use ``samesite='Strict'`` or ``samesite='Lax'`` to tell the browser not
       to send this cookie when performing a cross-origin request. `SameSite`_
       isn't supported by all browsers, so it's not a replacement for Django's
@@ -826,11 +826,11 @@ Methods
 
     .. warning::
 
-        :rfc:`6265` states that user agents should support cookies of at least
-        4096 bytes. For many browsers this is also the maximum size. Django
-        will not raise an exception if there's an attempt to store a cookie of
-        more than 4096 bytes, but many browsers will not set the cookie
-        correctly.
+        :rfc:`RFC 6265 <6265#section-6.1>` states that user agents should
+        support cookies of at least 4096 bytes. For many browsers this is also
+        the maximum size. Django will not raise an exception if there's an
+        attempt to store a cookie of more than 4096 bytes, but many browsers
+        will not set the cookie correctly.
 
 .. method:: HttpResponse.set_signed_cookie(key, value, salt='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False, samesite=None)
 

docs/ref/settings.txt

@@ -2701,7 +2701,7 @@ preference to the ``Host`` header. This should only be enabled if a proxy
 which sets this header is in use.
 
 This setting takes priority over :setting:`USE_X_FORWARDED_PORT`. Per
-:rfc:`7239#page-7`, the ``X-Forwarded-Host`` header can include the port
+:rfc:`7239#section-5.3`, the ``X-Forwarded-Host`` header can include the port
 number, in which case you shouldn't use :setting:`USE_X_FORWARDED_PORT`.
 
 .. setting:: USE_X_FORWARDED_PORT
@@ -3020,8 +3020,8 @@ Whether to use ``HttpOnly`` flag on the session cookie. If this is set to
 cookie.
 
 HttpOnly_ is a flag included in a Set-Cookie HTTP response header. It's part of
-the :rfc:`6265` standard for cookies and can be a useful way to mitigate the
-risk of a client-side script accessing the protected cookie data.
+the :rfc:`6265#section-4.1.2.6` standard for cookies and can be a useful way to
+mitigate the risk of a client-side script accessing the protected cookie data.
 
 This makes it less trivial for an attacker to escalate a cross-site scripting
 vulnerability into full hijacking of a user's session. There aren't many good

docs/ref/templates/builtins.txt

@@ -1417,7 +1417,8 @@ Format character  Description                               Example output
                   the "c" formatter will not add timezone
                   offset if value is a naive datetime
                   (see :class:`datetime.tzinfo`).
-``r``             :rfc:`5322` formatted date.               ``'Thu, 21 Dec 2000 16:01:07 +0200'``
+``r``             :rfc:`RFC 5322 <5322#section-3.3>`        ``'Thu, 21 Dec 2000 16:01:07 +0200'``
+                  formatted date.
 ``U``             Seconds since the Unix Epoch
                   (January 1 1970 00:00:00 UTC).
 ================  ========================================  =====================

docs/ref/utils.txt

@@ -720,8 +720,8 @@ escaping HTML.
 
 .. function:: http_date(epoch_seconds=None)
 
-    Formats the time to match the :rfc:`1123` date format as specified by HTTP
-    :rfc:`7231#section-7.1.1.1`.
+    Formats the time to match the :rfc:`1123#section-5.2.14` date format as
+    specified by HTTP :rfc:`7231#section-7.1.1.1`.
 
     Accepts a floating point number expressed in seconds since the epoch in
     UTC--such as that outputted by ``time.time()``. If set to ``None``,

docs/ref/validators.txt

@@ -154,7 +154,8 @@ to, or in lieu of custom ``field.clean()`` methods.
     an error code of ``'invalid'`` if it doesn't.
 
     Loopback addresses and reserved IP spaces are considered valid. Literal
-    IPv6 addresses (:rfc:`2732`) and unicode domains are both supported.
+    IPv6 addresses (:rfc:`3986#section-3.2.2`) and unicode domains are both
+    supported.
 
     In addition to the optional arguments of its parent :class:`RegexValidator`
     class, ``URLValidator`` accepts an extra optional attribute: