Added more explicit warnings about unconfigured reStructured Text usage in docs.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17915 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-04-19 15:00:55 +00:00 · 2012-04-19 15:00:55 +00:00 · 718f149bb2
parent 38d7a3a0fe
commit 718f149bb2
2 changed files with 17 additions and 0 deletions
--- a/docs/ref/contrib/markup.txt
+++ b/docs/ref/contrib/markup.txt
@ -46,6 +46,15 @@ When using the ``restructuredtext`` markup filter you can define a
 override the default writer settings. See the `restructuredtext writer
 settings`_ for details on what these settings are.

+.. warning::
+
+   reStructured Text has features that allow raw HTML to be included, and that
+   allow arbitrary files to be included. These can lead to XSS vulnerabilities
+   and leaking of private information. It is your responsibility to check the
+   features of this library and configure appropriately to avoid this. See the
+   `Deploying Docutils Securely
+   <http://docutils.sourceforge.net/docs/howto/security.html>`_ documentation.
+
 .. _restructuredtext writer settings: http://docutils.sourceforge.net/docs/user/config.html#html4css1-writer

 Markdown
--- a/docs/topics/security.txt
+++ b/docs/topics/security.txt
@ -48,6 +48,14 @@ escaping.
 You should also be very careful when storing HTML in the database, especially
 when that HTML is retrieved and displayed.

+Markup library
+--------------
+
+If you use :mod:`django.contrib.markup`, you need to ensure that the filters are
+only used on trusted input, or that you have correctly configured them to ensure
+they do not allow raw HTML output. See the documentation of that module for more
+information.
+
 Cross site request forgery (CSRF) protection
 ============================================