[Issue 17391] SECURITY: XSS through DDOC comments

[via Digitalmars-d-bugs]

https://issues.dlang.org/show_bug.cgi?id=17391

--- Comment #4 from Cédric Picard <cpicard at openmailbox.org> ---
(In reply to Vladimir Panteleev from comment #3)
> As I understand, this only matters from a security standpoint when DDoc
> output is placed on the same domain as some dynamic content being targeted.

Not at all, while what you describe is the most common case there are many
things that are possible through XSS that do not target the current domain.
Also bugs in browsers are a common thing.

> > Limiting the use to some tags would help the usability issue but not the
> > security one.
> 
> As I understand, there is no usability issue here because it's working as
> designed. Use $(LT) and $(GT) (or < and > if you don't care about any
> output formats other than HTML) for < and >.

Well, I first discovered the thing because I hit it. But sure, if it's as
designed, no comment here.

> Anyway, limiting the use of some tags probably wouldn't work because the
> document template is likely to have some macros involving script tags (or
> allowing constructing aribitrary HTML tags, such as dlang.org's $(TAG)
> macro). Fixing it from this angle would be much more complicated.

Indeed, also there are much more subtle XSSs than <script>. Given how DDOC
works I don't think it is fixable at all if not dropping all support for
inlined html which I didn't realize was an issue at the time.

I suppose it's a won't fix, at least a bug report will be there for the next
person to discover this.

--