You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
HTML written in a doc comment isn't escaped, and is thus rendered by the browser as HTML elements instead of text. Here's an example from AngularDart's documentation. Notice the <button>Increment</button> in the component template is rendered as an actual button.
Is this intended as a feature that you can write HTML in your documentation? Or should dartdoc escape HTML-sensitive characters in doc comments to prevent this?
The text was updated successfully, but these errors were encountered:
This issue should be reopened for discussion. I recently found this problem when l labeling an input parameter in a comment; something like:
/// Generates a filtered image at <name>.bmp
void generateOutlineBitmap(String name, /* etc ... */) {
The generated html includes a name tag, and this exploit could be leveraged for harmful attacks. It seems that an html-generating program should sanitize its input for this.
HTML written in a doc comment isn't escaped, and is thus rendered by the browser as HTML elements instead of text. Here's an example from AngularDart's documentation. Notice the
<button>Increment</button>
in the component template is rendered as an actual button.Is this intended as a feature that you can write HTML in your documentation? Or should dartdoc escape HTML-sensitive characters in doc comments to prevent this?
The text was updated successfully, but these errors were encountered: