From: Florian L. <mai...@xg...> - 2007-03-20 07:18:09
|
Am Montag, 19. M=C3=A4rz 2007 20:16 schrieb David Goodger: > On 3/15/07, Florian Lindner <mai...@xg...> wrote: > > Am Donnerstag, 15. M=C3=A4rz 2007 20:25 schrieb David Goodger: > > > On 3/15/07, Florian Lindner <mai...@xg...> wrote: > > > > is there a standard way to embed HTML in restructured text? So that > > > > the HTML is still there after processing? The HTML should not be > > > > converted. > > > > > > The "raw" directive is what you want: > > > http://docutils.sourceforge.net/docs/ref/rst/directives.html#raw > > > > Yes, thanks, that is exactly what I was looking for. > > > > Reading the link made me aware of some security flaws in my application > > where untrusted users enter rest. Now I use this settings: > > > > settings_override =3D {} > > settings_override["raw_enabled"] =3D False > > settings_override["file_insertion_enabled"] =3D False > > > > Is this safe? > > If you pass the settings_override parameter properly, yes. Try it and see. > > > But these settings still don't entirely satisfy me because if somebody > > enters .. raw:: html a warning message is printed informing that raw is > > disabled. > > Correct. The warning also includes the original directive & its content. > > > If I set: > > > > settings_override["report_level"] =3D "quiet" > > > > The raw directive is is completely removed from output. What I want is > > that it is treated just like any other text, appearing also in the > > output. > > > > Is that possible? > > No. > > I don't understand why you'd want to do that. If the "raw" directive > is enabled, uses will be processed. If it's not enabled, uses are > illegal. The current behavior is correct. I just want to disable it as a directive and the text processor should it=20 treat just like any other text. It should not generated a warning nor it=20 should swallow the text. Just act like raw wasn't a rest keyword. So users= =20 can use it without causing harm or generating an error message. Thanks, =46lorian |