mirror of
				https://github.com/django/django.git
				synced 2025-10-25 14:46:09 +00:00 
			
		
		
		
	Added more explicit warnings about unconfigured reStructured Text usage in docs.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17915 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
		| @@ -46,6 +46,15 @@ When using the ``restructuredtext`` markup filter you can define a | ||||
| override the default writer settings. See the `restructuredtext writer | ||||
| settings`_ for details on what these settings are. | ||||
|  | ||||
| .. warning:: | ||||
|  | ||||
|    reStructured Text has features that allow raw HTML to be included, and that | ||||
|    allow arbitrary files to be included. These can lead to XSS vulnerabilities | ||||
|    and leaking of private information. It is your responsibility to check the | ||||
|    features of this library and configure appropriately to avoid this. See the | ||||
|    `Deploying Docutils Securely | ||||
|    <http://docutils.sourceforge.net/docs/howto/security.html>`_ documentation. | ||||
|  | ||||
| .. _restructuredtext writer settings: http://docutils.sourceforge.net/docs/user/config.html#html4css1-writer | ||||
|  | ||||
| Markdown | ||||
|   | ||||
| @@ -48,6 +48,14 @@ escaping. | ||||
| You should also be very careful when storing HTML in the database, especially | ||||
| when that HTML is retrieved and displayed. | ||||
|  | ||||
| Markup library | ||||
| -------------- | ||||
|  | ||||
| If you use :mod:`django.contrib.markup`, you need to ensure that the filters are | ||||
| only used on trusted input, or that you have correctly configured them to ensure | ||||
| they do not allow raw HTML output. See the documentation of that module for more | ||||
| information. | ||||
|  | ||||
| Cross site request forgery (CSRF) protection | ||||
| ============================================ | ||||
|  | ||||
|   | ||||
		Reference in New Issue
	
	Block a user