aboutsummaryrefslogtreecommitdiff
path: root/MANUAL.txt
diff options
context:
space:
mode:
Diffstat (limited to 'MANUAL.txt')
-rw-r--r--MANUAL.txt30
1 files changed, 30 insertions, 0 deletions
diff --git a/MANUAL.txt b/MANUAL.txt
index c126eb9d2..fb3fda805 100644
--- a/MANUAL.txt
+++ b/MANUAL.txt
@@ -4842,6 +4842,36 @@ which you can modify according to your needs, do
[lua]: http://www.lua.org
+A note on security
+==================
+
+If you use pandoc to convert user-contributed content in a web
+application, here are some things to keep in mind:
+
+1. Although pandoc itself will not create or modify any files other
+ than those you explicitly ask it create (with the exception
+ of temporary files used in producing PDFs), a filter or custom
+ writer could in principle do anything on your file system. Please
+ audit filters and custom writers very carefully before using them.
+
+2. If your application uses pandoc as a Haskell library (rather than
+ shelling out to the executable), it is possible to use it in a mode
+ that fully isolates pandoc from your file system, by running the
+ pandoc operations in the `PandocPure` monad. See the document
+ [Using the pandoc API](http://pandoc.org/using-the-pandoc-api.html)
+ for more details.
+
+3. Pandoc's parsers can exhibit pathological performance on some
+ corner cases. It is wise to put any pandoc operations under
+ a timeout, to avoid DOS attacks that exploit these issues.
+
+4. The HTML generated by pandoc is not guaranteed to be safe.
+ If `raw_html` is enabled for the Markdown input, users can
+ inject arbitrary HTML. Even if `raw_html` is disabled,
+ users can include dangerous content in attributes for
+ headers, spans, and code blocks. To be safe, you should
+ run all the generated HTML through an HTML sanitizer.
+
Authors
=======