1
0
mirror of https://github.com/django/django.git synced 2025-10-25 06:36:07 +00:00

Added more explicit warnings about unconfigured reStructured Text usage in docs.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17915 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Luke Plant
2012-04-19 15:00:55 +00:00
parent 38d7a3a0fe
commit 718f149bb2
2 changed files with 17 additions and 0 deletions

View File

@@ -46,6 +46,15 @@ When using the ``restructuredtext`` markup filter you can define a
override the default writer settings. See the `restructuredtext writer override the default writer settings. See the `restructuredtext writer
settings`_ for details on what these settings are. settings`_ for details on what these settings are.
.. warning::
reStructured Text has features that allow raw HTML to be included, and that
allow arbitrary files to be included. These can lead to XSS vulnerabilities
and leaking of private information. It is your responsibility to check the
features of this library and configure appropriately to avoid this. See the
`Deploying Docutils Securely
<http://docutils.sourceforge.net/docs/howto/security.html>`_ documentation.
.. _restructuredtext writer settings: http://docutils.sourceforge.net/docs/user/config.html#html4css1-writer .. _restructuredtext writer settings: http://docutils.sourceforge.net/docs/user/config.html#html4css1-writer
Markdown Markdown

View File

@@ -48,6 +48,14 @@ escaping.
You should also be very careful when storing HTML in the database, especially You should also be very careful when storing HTML in the database, especially
when that HTML is retrieved and displayed. when that HTML is retrieved and displayed.
Markup library
--------------
If you use :mod:`django.contrib.markup`, you need to ensure that the filters are
only used on trusted input, or that you have correctly configured them to ensure
they do not allow raw HTML output. See the documentation of that module for more
information.
Cross site request forgery (CSRF) protection Cross site request forgery (CSRF) protection
============================================ ============================================