From f957c299b8e80ba8570535f54913880faa7eaf85 Mon Sep 17 00:00:00 2001
From: David Kennedy <david.kennedy@associates.cisa.dhs.gov>
Date: Tue, 28 Nov 2023 17:12:12 -0500
Subject: [PATCH] added comment

---
 src/api/views.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/api/views.py b/src/api/views.py
index 5e5365e58..a9f8d7692 100644
--- a/src/api/views.py
+++ b/src/api/views.py
@@ -21,6 +21,8 @@ DOMAIN_API_MESSAGES = {
     " For example, if you want www.city.gov, you would enter “city”"
     " (without the quotes).",
     "extra_dots": "Enter the .gov domain you want without any periods.",
+    # message below is considered safe; no user input can be inserted into the message
+    # body; public_site_url() function reads from local app settings and therefore safe
     "unavailable": mark_safe(  # nosec
         "That domain isn’t available. "
         "<a class='usa-link' href='{}' target='_blank'>"