Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Browse files

[1.4.x] Added more explicit warnings about unconfigured reStructured …

…Text usage in docs.

git-svn-id: bcc190cf-cafb-0310-a4f2-bffc1f526a37

Backport of 718f149 from master
  • Loading branch information...
commit ff6ee5f06c2850f098863d4a747069e10727293e 1 parent 45d4331
@spookylukey spookylukey authored
Showing with 17 additions and 0 deletions.
  1. +9 −0 docs/ref/contrib/markup.txt
  2. +8 −0 docs/topics/security.txt
9 docs/ref/contrib/markup.txt
@@ -46,6 +46,15 @@ When using the ``restructuredtext`` markup filter you can define a
override the default writer settings. See the `restructuredtext writer
settings`_ for details on what these settings are.
+.. warning::
+ reStructured Text has features that allow raw HTML to be included, and that
+ allow arbitrary files to be included. These can lead to XSS vulnerabilities
+ and leaking of private information. It is your responsibility to check the
+ features of this library and configure appropriately to avoid this. See the
+ `Deploying Docutils Securely
+ <>`_ documentation.
.. _restructuredtext writer settings:
8 docs/topics/security.txt
@@ -48,6 +48,14 @@ escaping.
You should also be very careful when storing HTML in the database, especially
when that HTML is retrieved and displayed.
+Markup library
+If you use :mod:`django.contrib.markup`, you need to ensure that the filters are
+only used on trusted input, or that you have correctly configured them to ensure
+they do not allow raw HTML output. See the documentation of that module for more
Cross site request forgery (CSRF) protection
Please sign in to comment.
Something went wrong with that request. Please try again.