Skip to content

Should dartdoc escape HTML? #1458

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
leonsenft opened this issue Jun 7, 2017 · 2 comments
Closed

Should dartdoc escape HTML? #1458

leonsenft opened this issue Jun 7, 2017 · 2 comments
Labels
type-question A question about expected behavior or functionality

Comments

@leonsenft
Copy link

HTML written in a doc comment isn't escaped, and is thus rendered by the browser as HTML elements instead of text. Here's an example from AngularDart's documentation. Notice the <button>Increment</button> in the component template is rendered as an actual button.

Is this intended as a feature that you can write HTML in your documentation? Or should dartdoc escape HTML-sensitive characters in doc comments to prevent this?

@leonsenft leonsenft added the type-question A question about expected behavior or functionality label Jun 7, 2017
@leonsenft
Copy link
Author

I just realized the reason this occurred in the sample I linked was because the example wasn't properly enclosed in a code block.

@redcrossp
Copy link

This issue should be reopened for discussion. I recently found this problem when l labeling an input parameter in a comment; something like:

/// Generates a filtered image at <name>.bmp
void generateOutlineBitmap(String name, /* etc ... */) {

The generated html includes a name tag, and this exploit could be leveraged for harmful attacks. It seems that an html-generating program should sanitize its input for this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type-question A question about expected behavior or functionality
Projects
None yet
Development

No branches or pull requests

2 participants