[Issue 17391] New: SECURITY: XSS through DDOC comments

via Digitalmars-d-bugs digitalmars-d-bugs at puremagic.com
Wed May 10 13:40:20 PDT 2017


https://issues.dlang.org/show_bug.cgi?id=17391

          Issue ID: 17391
           Summary: SECURITY: XSS through DDOC comments
           Product: D
           Version: D2
          Hardware: x86_64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P1
         Component: dmd
          Assignee: nobody at puremagic.com
          Reporter: cpicard at openmailbox.org

DDOC comments are not escaped and this results in a XSS vulnerability.

Proof of concept:

test.d:

    /// <script>alert(2)</script>
    void f() {
        return;
    }

$ dmd -D test.d
$ firefox test.html  -> an alert box appears

The security issue is clear although it requires manipulating the user to
compile and display malicious comments. But as compiling the documentation is
something many do before thoroughly reading the code it's still a valid
security issue.

Also, aside from that, it breaks valid documentation so there's a usability
issue as well.

--


More information about the Digitalmars-d-bugs mailing list