[Issue 17391] SECURITY: XSS through DDOC comments

via Digitalmars-d-bugs digitalmars-d-bugs at puremagic.com
Wed May 10 14:36:30 PDT 2017


https://issues.dlang.org/show_bug.cgi?id=17391

--- Comment #3 from Vladimir Panteleev <thecybershadow at gmail.com> ---
(In reply to Cédric Picard from comment #2)
> I was not aware that it is so by design. However if it is a design decision
> I believe the security consequences should be made very explicit and clear
> in DDOC's documentation so that people avoid distributing third-party
> projects' documentation or do it very carefuly.

As I understand, this only matters from a security standpoint when DDoc output
is placed on the same domain as some dynamic content being targeted.

> Limiting the use to some tags would help the usability issue but not the
> security one.

As I understand, there is no usability issue here because it's working as
designed. Use $(LT) and $(GT) (or < and > if you don't care about any
output formats other than HTML) for < and >.

Anyway, limiting the use of some tags probably wouldn't work because the
document template is likely to have some macros involving script tags (or
allowing constructing aribitrary HTML tags, such as dlang.org's $(TAG) macro).
Fixing it from this angle would be much more complicated.

--


More information about the Digitalmars-d-bugs mailing list