mirror of https://github.com/django/django.git
Added more explicit warnings about unconfigured reStructured Text usage in docs.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17915 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
38d7a3a0fe
commit
718f149bb2
|
@ -46,6 +46,15 @@ When using the ``restructuredtext`` markup filter you can define a
|
|||
override the default writer settings. See the `restructuredtext writer
|
||||
settings`_ for details on what these settings are.
|
||||
|
||||
.. warning::
|
||||
|
||||
reStructured Text has features that allow raw HTML to be included, and that
|
||||
allow arbitrary files to be included. These can lead to XSS vulnerabilities
|
||||
and leaking of private information. It is your responsibility to check the
|
||||
features of this library and configure appropriately to avoid this. See the
|
||||
`Deploying Docutils Securely
|
||||
<http://docutils.sourceforge.net/docs/howto/security.html>`_ documentation.
|
||||
|
||||
.. _restructuredtext writer settings: http://docutils.sourceforge.net/docs/user/config.html#html4css1-writer
|
||||
|
||||
Markdown
|
||||
|
|
|
@ -48,6 +48,14 @@ escaping.
|
|||
You should also be very careful when storing HTML in the database, especially
|
||||
when that HTML is retrieved and displayed.
|
||||
|
||||
Markup library
|
||||
--------------
|
||||
|
||||
If you use :mod:`django.contrib.markup`, you need to ensure that the filters are
|
||||
only used on trusted input, or that you have correctly configured them to ensure
|
||||
they do not allow raw HTML output. See the documentation of that module for more
|
||||
information.
|
||||
|
||||
Cross site request forgery (CSRF) protection
|
||||
============================================
|
||||
|
||||
|
|
Loading…
Reference in New Issue