Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Browse files

Added more explicit warnings about unconfigured reStructured Text usa…

…ge in docs.

git-svn-id: bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 718f149bb203d6b3f77bb8126e664054ee90fe7d 1 parent 38d7a3a
@spookylukey spookylukey authored
Showing with 17 additions and 0 deletions.
  1. +9 −0 docs/ref/contrib/markup.txt
  2. +8 −0 docs/topics/security.txt
9 docs/ref/contrib/markup.txt
@@ -46,6 +46,15 @@ When using the ``restructuredtext`` markup filter you can define a
override the default writer settings. See the `restructuredtext writer
settings`_ for details on what these settings are.
+.. warning::
+ reStructured Text has features that allow raw HTML to be included, and that
+ allow arbitrary files to be included. These can lead to XSS vulnerabilities
+ and leaking of private information. It is your responsibility to check the
+ features of this library and configure appropriately to avoid this. See the
+ `Deploying Docutils Securely
+ <>`_ documentation.
.. _restructuredtext writer settings:
8 docs/topics/security.txt
@@ -48,6 +48,14 @@ escaping.
You should also be very careful when storing HTML in the database, especially
when that HTML is retrieved and displayed.
+Markup library
+If you use :mod:`django.contrib.markup`, you need to ensure that the filters are
+only used on trusted input, or that you have correctly configured them to ensure
+they do not allow raw HTML output. See the documentation of that module for more
Cross site request forgery (CSRF) protection
Please sign in to comment.
Something went wrong with that request. Please try again.