The flaw occurs via the roles feature which is designed to allow the author to bypass the parsing of rst. The only problem was that despite the options being set to disable the raw directive which similarly allows unfiltered text, the raw role was still permitted.
Here's an example of how this could be used:
.. role:: unsafe_raw(raw) :format: html :unsafe_raw:`<p onclick="alert('hello')">Oh Hai (click me)</p>`
The good news is following the provision of a patch this was fixed in release 0.6 of docutils. If you're using reStructuredText on your site where third parties can use it to provide content, it's definitely recommended that you check to make sure you're using 0.6 or higher.