Whilst the raw directives are controlled by the "raw_enabled" enabled option the roles aren't. Thus if someone makes use of rst on a website an attacker could use a custom role to enter arbitrary text into a page.
Here's an example:
.. role:: unsafe_raw(raw)
:unsafe_raw:`<p onclick="alert('hello')">Oh Hai (click me)</p>`
A patch is attached which adds a check to see if raw_enabled is allowed in the raw_role
Patch against docutiils 0.5
Update as the snippet above is incorrect it should be:
.. role:: unsafe_raw(raw)
:format: html
:unsafe_raw:`<p onclick="alert('hello')">Oh Hai (click me)</p>`
Thanks for the patch. Its applied to SVN (upcoming release 0.6)