From 59defc5c7496f5deeea5a05bf640c0f3060800a1 Mon Sep 17 00:00:00 2001
From: Richard Darst <rkd@zgib.net>
Date: Wed, 01 Jul 2009 05:01:41 +0000
Subject: Security for rst->html

- disallow includes and raw html
- http://docutils.sourceforge.net/docs/howto/security.html

darcs-hash:20090701050141-82ea9-7c548a15dc4427c248871eb3eec43fa88c8a0f17.gz
---
(limited to 'writers.py')

diff --git a/writers.py b/writers.py
index d237c07..57cf7b0 100644
--- a/writers.py
+++ b/writers.py
@@ -312,5 +312,7 @@ class HTMLfromRST(object):
     def format(self, M):
         import docutils.core
         rst = RST().format(M)
-        rstToHTML = docutils.core.publish_string(rst, writer_name='html')
+        rstToHTML = docutils.core.publish_string(rst, writer_name='html',
+                             settings_overrides={'file_insertion_enabled': 0,
+                                                 'raw_enabled': 0})
         return rstToHTML
--
cgit v0.9.1