threatcode · pull · Nov 20, 2025 · Nov 17, 2025 · Nov 20, 2025
diff --git a/django/utils/html.py b/django/utils/html.py
@@ -7,6 +7,7 @@
 from collections import deque
 from collections.abc import Mapping
 from html.parser import HTMLParser
+from itertools import chain
 from urllib.parse import parse_qsl, quote, unquote, urlencode, urlsplit, urlunsplit
 
 from django.conf import settings
@@ -76,8 +77,11 @@ def escape(text):
     ord("\u2029"): "\\u2029",
 }
 
-# Escape every ASCII character with a value less than 32.
-_js_escapes.update((ord("%c" % z), "\\u%04X" % z) for z in range(32))
+# Escape every ASCII character with a value less than 32 (C0), 127(C0),
+# or 128-159(C1).
+_js_escapes.update(
+    (ord("%c" % z), "\\u%04X" % z) for z in chain(range(32), range(0x7F, 0xA0))
+)
 
 
 @keep_lazy(SafeString)

diff --git a/docs/ref/checks.txt b/docs/ref/checks.txt
@@ -79,10 +79,10 @@ Django's system checks are organized using the following tags:
 * ``compatibility``: Flags potential problems with version upgrades.
 * ``commands``: Checks custom management commands related configuration.
 * ``database``: Checks database-related configuration issues. Database checks
-  are not run by default because they do more than static code analysis as
-  regular checks do. They are only run by the :djadmin:`migrate` command or if
-  you specify configured database aliases using the ``--database`` option when
-  calling the :djadmin:`check` command.
+  are not run by default because they do more than only static code analysis as
+  most regular checks do. They are only run by the :djadmin:`migrate` command
+  or if you specify configured database aliases using the ``--database`` option
+  when calling the :djadmin:`check` command.
 * ``files``: Checks files related configuration.
 * ``models``: Checks of model, field, and manager definitions.
 * ``security``: Checks security related configuration.

diff --git a/docs/releases/6.1.txt b/docs/releases/6.1.txt
@@ -341,6 +341,12 @@ backends.
   instead of the JSON ``null`` primitive. This matches the behavior of a
   standalone :class:`~django.db.models.JSONField` when storing ``None`` values.
 
+System checks
+-------------
+
+* The :djadmin:`check` management command now supplies all ``databases`` if not
+  specified. Callers should be prepared for databases to be accessed.
+
 Dropped support for PostgreSQL 14
 ---------------------------------
 

diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
@@ -244,6 +244,9 @@ def test_escapejs(self):
                 "paragraph separator:\\u2029and line separator:\\u2028",
             ),
             ("`", "\\u0060"),
+            ("\u007f", "\\u007F"),
+            ("\u0080", "\\u0080"),
+            ("\u009f", "\\u009F"),
         )
         for value, output in items:
             with self.subTest(value=value, output=output):