Browse files

Added more explicit warnings about unconfigured reStructured Text usa…

…ge in docs.

git-svn-id: bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
1 parent 38d7a3a commit 718f149bb203d6b3f77bb8126e664054ee90fe7d @spookylukey spookylukey committed Apr 19, 2012
Showing with 17 additions and 0 deletions.
  1. +9 −0 docs/ref/contrib/markup.txt
  2. +8 −0 docs/topics/security.txt
@@ -46,6 +46,15 @@ When using the ``restructuredtext`` markup filter you can define a
override the default writer settings. See the `restructuredtext writer
settings`_ for details on what these settings are.
+.. warning::
+ reStructured Text has features that allow raw HTML to be included, and that
+ allow arbitrary files to be included. These can lead to XSS vulnerabilities
+ and leaking of private information. It is your responsibility to check the
+ features of this library and configure appropriately to avoid this. See the
+ `Deploying Docutils Securely
+ <>`_ documentation.
.. _restructuredtext writer settings:
@@ -48,6 +48,14 @@ escaping.
You should also be very careful when storing HTML in the database, especially
when that HTML is retrieved and displayed.
+Markup library
+If you use :mod:`django.contrib.markup`, you need to ensure that the filters are
+only used on trusted input, or that you have correctly configured them to ensure
+they do not allow raw HTML output. See the documentation of that module for more
Cross site request forgery (CSRF) protection

0 comments on commit 718f149

Please sign in to comment.