Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Added more explicit warnings about unconfigured reStructured Text usa…

…ge in docs.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17915 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 718f149bb203d6b3f77bb8126e664054ee90fe7d 1 parent 38d7a3a
Luke Plant authored April 19, 2012
9  docs/ref/contrib/markup.txt
@@ -46,6 +46,15 @@ When using the ``restructuredtext`` markup filter you can define a
46 46
 override the default writer settings. See the `restructuredtext writer
47 47
 settings`_ for details on what these settings are.
48 48
 
  49
+.. warning::
  50
+
  51
+   reStructured Text has features that allow raw HTML to be included, and that
  52
+   allow arbitrary files to be included. These can lead to XSS vulnerabilities
  53
+   and leaking of private information. It is your responsibility to check the
  54
+   features of this library and configure appropriately to avoid this. See the
  55
+   `Deploying Docutils Securely
  56
+   <http://docutils.sourceforge.net/docs/howto/security.html>`_ documentation.
  57
+
49 58
 .. _restructuredtext writer settings: http://docutils.sourceforge.net/docs/user/config.html#html4css1-writer
50 59
 
51 60
 Markdown
8  docs/topics/security.txt
@@ -48,6 +48,14 @@ escaping.
48 48
 You should also be very careful when storing HTML in the database, especially
49 49
 when that HTML is retrieved and displayed.
50 50
 
  51
+Markup library
  52
+--------------
  53
+
  54
+If you use :mod:`django.contrib.markup`, you need to ensure that the filters are
  55
+only used on trusted input, or that you have correctly configured them to ensure
  56
+they do not allow raw HTML output. See the documentation of that module for more
  57
+information.
  58
+
51 59
 Cross site request forgery (CSRF) protection
52 60
 ============================================
53 61
 

0 notes on commit 718f149

Please sign in to comment.
Something went wrong with that request. Please try again.