[1.4.x] Added more explicit warnings about unconfigured reStructured Text usage in docs.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17915 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Backport of 718f149b
from master
This commit is contained in:
parent
45d43317b7
commit
ff6ee5f06c
|
@ -46,6 +46,15 @@ When using the ``restructuredtext`` markup filter you can define a
|
||||||
override the default writer settings. See the `restructuredtext writer
|
override the default writer settings. See the `restructuredtext writer
|
||||||
settings`_ for details on what these settings are.
|
settings`_ for details on what these settings are.
|
||||||
|
|
||||||
|
.. warning::
|
||||||
|
|
||||||
|
reStructured Text has features that allow raw HTML to be included, and that
|
||||||
|
allow arbitrary files to be included. These can lead to XSS vulnerabilities
|
||||||
|
and leaking of private information. It is your responsibility to check the
|
||||||
|
features of this library and configure appropriately to avoid this. See the
|
||||||
|
`Deploying Docutils Securely
|
||||||
|
<http://docutils.sourceforge.net/docs/howto/security.html>`_ documentation.
|
||||||
|
|
||||||
.. _restructuredtext writer settings: http://docutils.sourceforge.net/docs/user/config.html#html4css1-writer
|
.. _restructuredtext writer settings: http://docutils.sourceforge.net/docs/user/config.html#html4css1-writer
|
||||||
|
|
||||||
Markdown
|
Markdown
|
||||||
|
|
|
@ -48,6 +48,14 @@ escaping.
|
||||||
You should also be very careful when storing HTML in the database, especially
|
You should also be very careful when storing HTML in the database, especially
|
||||||
when that HTML is retrieved and displayed.
|
when that HTML is retrieved and displayed.
|
||||||
|
|
||||||
|
Markup library
|
||||||
|
--------------
|
||||||
|
|
||||||
|
If you use :mod:`django.contrib.markup`, you need to ensure that the filters are
|
||||||
|
only used on trusted input, or that you have correctly configured them to ensure
|
||||||
|
they do not allow raw HTML output. See the documentation of that module for more
|
||||||
|
information.
|
||||||
|
|
||||||
Cross site request forgery (CSRF) protection
|
Cross site request forgery (CSRF) protection
|
||||||
============================================
|
============================================
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue