diff options
| author | jvoisin | 2019-01-21 00:28:47 +0100 |
|---|---|---|
| committer | jvoisin | 2019-01-21 00:29:13 +0100 |
| commit | 73dec8383e517a251ffe1f0c51d65627b281519d (patch) | |
| tree | d3dc41fa6b11d5d59a4d22fa8fd86f35774b9a4d /doc | |
| parent | 0311a299f84bfcbdf53f33dab2c8c1e9939a5631 (diff) | |
Document the point of having a black-list approach for eval
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/source/features.rst | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/doc/source/features.rst b/doc/source/features.rst index 9bd9907..e3ae876 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst | |||
| @@ -386,6 +386,11 @@ it's broadly (mis)used all around the web. | |||
| 386 | Snuffleupagus provides a white and blacklist mechanism, to explicitly allow | 386 | Snuffleupagus provides a white and blacklist mechanism, to explicitly allow |
| 387 | and forbid specific functions call from being issued inside ``eval``. | 387 | and forbid specific functions call from being issued inside ``eval``. |
| 388 | 388 | ||
| 389 | While it's heavily recommended to only use the whitelist feature, the blacklist | ||
| 390 | one exists because some adminsys might want to use it to catch automated | ||
| 391 | script-kiddies attacks, while being confident that doing so won't break a | ||
| 392 | single website. | ||
| 393 | |||
| 389 | .. _samesite-feature: | 394 | .. _samesite-feature: |
| 390 | 395 | ||
| 391 | Protection against cross site request forgery | 396 | Protection against cross site request forgery |