Commit 718f149b authored by Luke Plant's avatar Luke Plant
Browse files

Added more explicit warnings about unconfigured reStructured Text usage in docs. 

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17915 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent 38d7a3a0

docs/ref/contrib/markup.txt

+9 −0
Original line number Diff line number Diff line
@@ -46,6 +46,15 @@ When using the ``restructuredtext`` markup filter you can define a 
override the default writer settings. See the `restructuredtext writer

settings`_ for details on what these settings are.



.. warning::



   reStructured Text has features that allow raw HTML to be included, and that

   allow arbitrary files to be included. These can lead to XSS vulnerabilities

   and leaking of private information. It is your responsibility to check the

   features of this library and configure appropriately to avoid this. See the

   `Deploying Docutils Securely

   <http://docutils.sourceforge.net/docs/howto/security.html>`_ documentation.



.. _restructuredtext writer settings: http://docutils.sourceforge.net/docs/user/config.html#html4css1-writer



Markdown

docs/topics/security.txt

+8 −0
Original line number Diff line number Diff line
@@ -48,6 +48,14 @@ escaping. 
You should also be very careful when storing HTML in the database, especially

when that HTML is retrieved and displayed.



Markup library

--------------



If you use :mod:`django.contrib.markup`, you need to ensure that the filters are

only used on trusted input, or that you have correctly configured them to ensure

they do not allow raw HTML output. See the documentation of that module for more

information.



Cross site request forgery (CSRF) protection

============================================