From 3b113be573cdbca20ce9ec9c0a6efb25ccf51db5 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Thu, 4 Jan 2018 15:59:59 +0100
Subject: Eval blacklist

Add support for eval filtering, only blacklist for now---
 doc/source/features.rst | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'doc/source/features.rst')

diff --git a/doc/source/features.rst b/doc/source/features.rst
index afe139a..8ecf57d 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -321,6 +321,19 @@ Snuffleupagus can prevent the execution of this kind of file. A good practice
 would be to use a different user to run PHP than for administrating the website,
 and using this feature to lock this up.
 
+.. _eval-feature:
+
+White and blacklist in ``eval``
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+While `eval <https://secure.php.net/manual/en/function.eval.php>`__ is a
+dangerous primitive, tricky to use right, with almost no legitimate usage
+besides templating and building mathematical expressions based on user input,
+it's broadly (mis)used all around the web.
+
+Snuffleupagus provides a white and blacklist mechanism, to explicitly allow
+and forbid specific functions call from being issued inside ``eval``.
+
 
 Protection against cross site request forgery
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-- 
cgit v1.3