Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

[1.4.x] Added more explicit warnings about unconfigured reStructured …

…Text usage in docs.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17915 bcc190cf-cafb-0310-a4f2-bffc1f526a37

Backport of 718f149 from master
  • Loading branch information...
commit ff6ee5f06c2850f098863d4a747069e10727293e 1 parent 45d4331
@spookylukey spookylukey authored
Showing with 17 additions and 0 deletions.
  1. +9 −0 docs/ref/contrib/markup.txt
  2. +8 −0 docs/topics/security.txt
View
9 docs/ref/contrib/markup.txt
@@ -46,6 +46,15 @@ When using the ``restructuredtext`` markup filter you can define a
override the default writer settings. See the `restructuredtext writer
settings`_ for details on what these settings are.
+.. warning::
+
+ reStructured Text has features that allow raw HTML to be included, and that
+ allow arbitrary files to be included. These can lead to XSS vulnerabilities
+ and leaking of private information. It is your responsibility to check the
+ features of this library and configure appropriately to avoid this. See the
+ `Deploying Docutils Securely
+ <http://docutils.sourceforge.net/docs/howto/security.html>`_ documentation.
+
.. _restructuredtext writer settings: http://docutils.sourceforge.net/docs/user/config.html#html4css1-writer
Markdown
View
8 docs/topics/security.txt
@@ -48,6 +48,14 @@ escaping.
You should also be very careful when storing HTML in the database, especially
when that HTML is retrieved and displayed.
+Markup library
+--------------
+
+If you use :mod:`django.contrib.markup`, you need to ensure that the filters are
+only used on trusted input, or that you have correctly configured them to ensure
+they do not allow raw HTML output. See the documentation of that module for more
+information.
+
Cross site request forgery (CSRF) protection
============================================
Please sign in to comment.
Something went wrong with that request. Please try again.