summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorLuke Plant <L.Plant.98@cantab.net>2012-04-19 15:00:55 +0000
committerLuke Plant <L.Plant.98@cantab.net>2012-06-08 15:02:15 +0100
commitff6ee5f06c2850f098863d4a747069e10727293e (patch)
treeed3416b60e6977c53a0a8c941f656b97ae6f14cd /docs
parent45d43317b7db845a7c565522b3e6e6b2dab46a64 (diff)
[1.4.x] Added more explicit warnings about unconfigured reStructured Text usage in docs.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17915 bcc190cf-cafb-0310-a4f2-bffc1f526a37 Backport of 718f149b from master
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/contrib/markup.txt9
-rw-r--r--docs/topics/security.txt8
2 files changed, 17 insertions, 0 deletions
diff --git a/docs/ref/contrib/markup.txt b/docs/ref/contrib/markup.txt
index 3abc27bf5d..0b4a2072ac 100644
--- a/docs/ref/contrib/markup.txt
+++ b/docs/ref/contrib/markup.txt
@@ -46,6 +46,15 @@ When using the ``restructuredtext`` markup filter you can define a
override the default writer settings. See the `restructuredtext writer
settings`_ for details on what these settings are.
+.. warning::
+
+ reStructured Text has features that allow raw HTML to be included, and that
+ allow arbitrary files to be included. These can lead to XSS vulnerabilities
+ and leaking of private information. It is your responsibility to check the
+ features of this library and configure appropriately to avoid this. See the
+ `Deploying Docutils Securely
+ <http://docutils.sourceforge.net/docs/howto/security.html>`_ documentation.
+
.. _restructuredtext writer settings: http://docutils.sourceforge.net/docs/user/config.html#html4css1-writer
Markdown
diff --git a/docs/topics/security.txt b/docs/topics/security.txt
index 914b63fd40..151853d4ac 100644
--- a/docs/topics/security.txt
+++ b/docs/topics/security.txt
@@ -48,6 +48,14 @@ escaping.
You should also be very careful when storing HTML in the database, especially
when that HTML is retrieved and displayed.
+Markup library
+--------------
+
+If you use :mod:`django.contrib.markup`, you need to ensure that the filters are
+only used on trusted input, or that you have correctly configured them to ensure
+they do not allow raw HTML output. See the documentation of that module for more
+information.
+
Cross site request forgery (CSRF) protection
============================================