From ff6ee5f06c2850f098863d4a747069e10727293e Mon Sep 17 00:00:00 2001 From: Luke Plant Date: Thu, 19 Apr 2012 15:00:55 +0000 Subject: [PATCH] [1.4.x] Added more explicit warnings about unconfigured reStructured Text usage in docs. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17915 bcc190cf-cafb-0310-a4f2-bffc1f526a37 Backport of 718f149b from master --- docs/ref/contrib/markup.txt | 9 +++++++++ docs/topics/security.txt | 8 ++++++++ 2 files changed, 17 insertions(+) diff --git a/docs/ref/contrib/markup.txt b/docs/ref/contrib/markup.txt index 3abc27bf5d..0b4a2072ac 100644 --- a/docs/ref/contrib/markup.txt +++ b/docs/ref/contrib/markup.txt @@ -46,6 +46,15 @@ When using the ``restructuredtext`` markup filter you can define a override the default writer settings. See the `restructuredtext writer settings`_ for details on what these settings are. +.. warning:: + + reStructured Text has features that allow raw HTML to be included, and that + allow arbitrary files to be included. These can lead to XSS vulnerabilities + and leaking of private information. It is your responsibility to check the + features of this library and configure appropriately to avoid this. See the + `Deploying Docutils Securely + `_ documentation. + .. _restructuredtext writer settings: http://docutils.sourceforge.net/docs/user/config.html#html4css1-writer Markdown diff --git a/docs/topics/security.txt b/docs/topics/security.txt index 914b63fd40..151853d4ac 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -48,6 +48,14 @@ escaping. You should also be very careful when storing HTML in the database, especially when that HTML is retrieved and displayed. +Markup library +-------------- + +If you use :mod:`django.contrib.markup`, you need to ensure that the filters are +only used on trusted input, or that you have correctly configured them to ensure +they do not allow raw HTML output. See the documentation of that module for more +information. + Cross site request forgery (CSRF) protection ============================================