May 10, 2017 [Issue 17391] New: SECURITY:=?UTF-8?Q?=20XSS=C2=A0through=20DDOC=20comments?= | ||||
---|---|---|---|---|
| ||||
https://issues.dlang.org/show_bug.cgi?id=17391 Issue ID: 17391 Summary: SECURITY: XSS through DDOC comments Product: D Version: D2 Hardware: x86_64 OS: Linux Status: NEW Severity: normal Priority: P1 Component: dmd Assignee: nobody@puremagic.com Reporter: cpicard@openmailbox.org DDOC comments are not escaped and this results in a XSS vulnerability. Proof of concept: test.d: /// <script>alert(2)</script> void f() { return; } $ dmd -D test.d $ firefox test.html -> an alert box appears The security issue is clear although it requires manipulating the user to compile and display malicious comments. But as compiling the documentation is something many do before thoroughly reading the code it's still a valid security issue. Also, aside from that, it breaks valid documentation so there's a usability issue as well. -- |
Copyright © 1999-2021 by the D Language Foundation