adrdox vs markdown vs ddoc
Seb
seb at wilzba.ch
Fri Feb 2 17:26:04 UTC 2018
On Thursday, 1 February 2018 at 14:51:41 UTC, ag0aep6g wrote:
> On 02/01/2018 07:18 AM, Seb wrote:
>> It tells quite a bit about the complexity of Ddoc that I had
>> to add support for -D to run.dlang.io ...
> [...]
>> I'm not a fan of Ddoc by any means, but that has been fixed in
>> Ddoc does this too now: https://run.dlang.io/is/75Z55o
>
> Uhh, is it a good idea to generate documentation on
> run.dlang.io? Isn't this an open invitation for XSS?
>
> Simple example, one can replace all links on the page with
> malicious ones:
> https://run.dlang.io/is/wYLpVx
I don't think it's a big problem as user needs to explicitly
approve the code by hitting Run.
Also all the other Web editors (JSBin, JSFiddle etc.) allow you
to do the same and even load the HTML + JS when you open the page.
Nevertheless, I added the "sandbox" feature of IFrames:
https://www.html5rocks.com/en/tutorials/security/sandboxed-iframes
-> now even any kind of JS code can't be executed.
Thanks!
More information about the Digitalmars-d
mailing list