Anonymous committed a64c5e0

Added more explicit warnings about unconfigured reStructured Text usage in docs.

  • Participants
  • Parent commits 99b02d1

Comments (0)

Files changed (2)

File docs/ref/contrib/markup.txt

 override the default writer settings. See the `restructuredtext writer
 settings`_ for details on what these settings are.
+.. warning::
+   reStructured Text has features that allow raw HTML to be included, and that
+   allow arbitrary files to be included. These can lead to XSS vulnerabilities
+   and leaking of private information. It is your responsibility to check the
+   features of this library and configure appropriately to avoid this. See the
+   `Deploying Docutils Securely
+   <>`_ documentation.
 .. _restructuredtext writer settings:

File docs/topics/security.txt

 You should also be very careful when storing HTML in the database, especially
 when that HTML is retrieved and displayed.
+Markup library
+If you use :mod:`django.contrib.markup`, you need to ensure that the filters are
+only used on trusted input, or that you have correctly configured them to ensure
+they do not allow raw HTML output. See the documentation of that module for more
 Cross site request forgery (CSRF) protection