diff options
Diffstat (limited to 'MANUAL.txt')
-rw-r--r-- | MANUAL.txt | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/MANUAL.txt b/MANUAL.txt index c126eb9d2..fb3fda805 100644 --- a/MANUAL.txt +++ b/MANUAL.txt @@ -4842,6 +4842,36 @@ which you can modify according to your needs, do [lua]: http://www.lua.org +A note on security +================== + +If you use pandoc to convert user-contributed content in a web +application, here are some things to keep in mind: + +1. Although pandoc itself will not create or modify any files other + than those you explicitly ask it create (with the exception + of temporary files used in producing PDFs), a filter or custom + writer could in principle do anything on your file system. Please + audit filters and custom writers very carefully before using them. + +2. If your application uses pandoc as a Haskell library (rather than + shelling out to the executable), it is possible to use it in a mode + that fully isolates pandoc from your file system, by running the + pandoc operations in the `PandocPure` monad. See the document + [Using the pandoc API](http://pandoc.org/using-the-pandoc-api.html) + for more details. + +3. Pandoc's parsers can exhibit pathological performance on some + corner cases. It is wise to put any pandoc operations under + a timeout, to avoid DOS attacks that exploit these issues. + +4. The HTML generated by pandoc is not guaranteed to be safe. + If `raw_html` is enabled for the Markdown input, users can + inject arbitrary HTML. Even if `raw_html` is disabled, + users can include dangerous content in attributes for + headers, spans, and code blocks. To be safe, you should + run all the generated HTML through an HTML sanitizer. + Authors ======= |