Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Added more explicit warnings about unconfigured reStructured Text usa…

…ge in docs.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17915 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 718f149bb203d6b3f77bb8126e664054ee90fe7d 1 parent 38d7a3a
@spookylukey spookylukey authored
Showing with 17 additions and 0 deletions.
  1. +9 −0 docs/ref/contrib/markup.txt
  2. +8 −0 docs/topics/security.txt
View
9 docs/ref/contrib/markup.txt
@@ -46,6 +46,15 @@ When using the ``restructuredtext`` markup filter you can define a
override the default writer settings. See the `restructuredtext writer
settings`_ for details on what these settings are.
+.. warning::
+
+ reStructured Text has features that allow raw HTML to be included, and that
+ allow arbitrary files to be included. These can lead to XSS vulnerabilities
+ and leaking of private information. It is your responsibility to check the
+ features of this library and configure appropriately to avoid this. See the
+ `Deploying Docutils Securely
+ <http://docutils.sourceforge.net/docs/howto/security.html>`_ documentation.
+
.. _restructuredtext writer settings: http://docutils.sourceforge.net/docs/user/config.html#html4css1-writer
Markdown
View
8 docs/topics/security.txt
@@ -48,6 +48,14 @@ escaping.
You should also be very careful when storing HTML in the database, especially
when that HTML is retrieved and displayed.
+Markup library
+--------------
+
+If you use :mod:`django.contrib.markup`, you need to ensure that the filters are
+only used on trusted input, or that you have correctly configured them to ensure
+they do not allow raw HTML output. See the documentation of that module for more
+information.
+
Cross site request forgery (CSRF) protection
============================================
Please sign in to comment.
Something went wrong with that request. Please try again.