From 13433dc0a9c86abb338a01439af3f3795b2e3994 Mon Sep 17 00:00:00 2001
From: Jeffrey 'Alex' Clark <aclark@aclark.net>
Date: Tue, 21 Apr 2026 11:07:58 -0400
Subject: [PATCH] Update docs/handbook/security.rst

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 docs/handbook/security.rst | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/docs/handbook/security.rst b/docs/handbook/security.rst
index 2984d8e2b..58d066a1d 100644
--- a/docs/handbook/security.rst
+++ b/docs/handbook/security.rst
@@ -46,8 +46,8 @@ type. An attacker can name a file ``safe.png`` while its content is TIFF, JPEG
 2000, or EPS, causing a different — potentially more dangerous — parser to run.
 
 *Mitigations:* validate MIME type and magic bytes independently before calling
-``Image.open()``; pass the ``format`` parameter explicitly; maintain an
-allowlist of accepted formats.
+``Image.open()``; pass the ``formats`` argument with an allowlist of accepted
+formats.
 
 **S-2 — Plugin registry spoofing**
 
@@ -226,8 +226,9 @@ The following mitigations are listed in priority order.
    advisories <https://github.com/python-pillow/Pillow/security/advisories>`_.
 5. **Enforce** ``MAX_IMAGE_PIXELS`` — never set it to ``None``; treat
    ``Image.DecompressionBombWarning`` as an error.
-6. **Allowlist image formats** — unregister plugins your application does not
-   need.
+6. **Allowlist image formats** — restrict accepted formats when opening
+   images, for example with ``Image.open(..., formats=...)``, and isolate
+   installs/environments if you need to minimise supported formats.
 7. **Strip metadata on output** — never pass through EXIF/XMP/ICC from user
    uploads to publicly served images.
 8. **Sanitise all metadata** returned by Pillow before using it downstream.