aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWaylan Limberg <waylan@gmail.com>2011-03-09 22:53:10 -0500
committerWaylan Limberg <waylan@gmail.com>2011-03-09 22:53:10 -0500
commit80aa9a2d52f2fcbffd6e15d208b8ead5886900b1 (patch)
tree4df551a6e1d994e4529ad8a68df49b73ff64c026
parentd6e2585772d5c1bcd04b9b30f8aa7220d45af486 (diff)
downloadmarkdown-80aa9a2d52f2fcbffd6e15d208b8ead5886900b1.tar.gz
markdown-80aa9a2d52f2fcbffd6e15d208b8ead5886900b1.tar.bz2
markdown-80aa9a2d52f2fcbffd6e15d208b8ead5886900b1.zip
Documented concern raised in Ticket 85. Added a warning that enabling safe_mode does not turn off attributes, so they should be turned off seperately.
-rw-r--r--docs/using_as_module.txt8
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/using_as_module.txt b/docs/using_as_module.txt
index 9031c4e..7c9008d 100644
--- a/docs/using_as_module.txt
+++ b/docs/using_as_module.txt
@@ -54,6 +54,10 @@ You should also use this method if you want to process multiple strings:
html1 = md.convert(text1)
html2 = md.convert(text2)
+Any options accepted by the `Markdown` class are also accepted by the
+`markdown` shortcut function. However, a new instant of the class will be
+created each time the shortcut function is called.
+
Working with Files
------------------
@@ -122,6 +126,10 @@ still create links using Markdown syntax.)
* To escape HTML, set ``safe_mode="escape"``. The HTML will be escaped and
included in the document.
+Note that "safe_mode" does not alter the "enable_attributes" option, which
+could allow someone to inject javascript (i.e., `{@onclick=alert(1)}`). You
+may also want to set `enable_attributes=False` when using "safe_mode".
+
Output Formats
--------------