Fix Issue 17391 - SECURITY: XSS through DDOC comments

CyberShadow · CyberShadow · commit 4d69c1abd487 · 2017-05-10T22:12:42.000Z
Add a documentation note about the security considerations of
embeddable HTML in DDoc.
diff --git a/dcompiler.dd b/dcompiler.dd
@@ -424,7 +424,9 @@ dmd -cov -unittest myprog.d
       )
 
       $(SWITCH $(SWNAME -D),
-        generate $(LINK2 spec/ddoc.html, documentation) from source
+        $(P Generate $(LINK2 spec/ddoc.html, documentation) from source.)
+
+        $(P Note: mind the $(LINK2 spec/ddoc.html#security, security considerations).)
       )
 
       $(SWITCH $(SWNAME -Dd)$(I docdir),
diff --git a/spec/ddoc.dd b/spec/ddoc.dd
@@ -1033,6 +1033,16 @@ $(P
     generated by Ddoc.
 )
 
+$(H2 $(LNAME2 security, Security considerations))
+
+$(P
+    Note that DDoc comments may embed raw HTML, including
+    $(LT)script$(GT) tags. Be careful when publishing or distributing
+    rendered DDoc HTML generated from untrusted sources, as this may
+    allow $(LINK2 https://en.wikipedia.org/wiki/Cross-site_scripting,
+    cross-site scripting).
+)
+
 $(H2 Links to D documentation generators)
 
 $(P

Original file line number	Diff line number	Diff line change
`@@ -424,7 +424,9 @@ dmd -cov -unittest myprog.d`
`424`	`424`	`)`
`425`	`425`
`426`	`426`	`$(SWITCH $(SWNAME -D),`
`427`		`- generate $(LINK2 spec/ddoc.html, documentation) from source`
	`427`	`+ $(P Generate $(LINK2 spec/ddoc.html, documentation) from source.)`
	`428`	`+`
	`429`	`+ $(P Note: mind the $(LINK2 spec/ddoc.html#security, security considerations).)`
`428`	`430`	`)`
`429`	`431`
`430`	`432`	`$(SWITCH $(SWNAME -Dd)$(I docdir),`