Should dartdoc escape HTML? #1458

leonsenft · 2017-06-07T00:26:49Z

HTML written in a doc comment isn't escaped, and is thus rendered by the browser as HTML elements instead of text. Here's an example from AngularDart's documentation. Notice the <button>Increment</button> in the component template is rendered as an actual button.

Is this intended as a feature that you can write HTML in your documentation? Or should dartdoc escape HTML-sensitive characters in doc comments to prevent this?

The text was updated successfully, but these errors were encountered:

leonsenft · 2017-06-07T00:35:26Z

I just realized the reason this occurred in the sample I linked was because the example wasn't properly enclosed in a code block.

redcrossp · 2019-07-30T23:30:32Z

This issue should be reopened for discussion. I recently found this problem when l labeling an input parameter in a comment; something like:

/// Generates a filtered image at <name>.bmp
void generateOutlineBitmap(String name, /* etc ... */) {

The generated html includes a name tag, and this exploit could be leveraged for harmful attacks. It seems that an html-generating program should sanitize its input for this.

leonsenft added the type-question A question about expected behavior or functionality label Jun 7, 2017

leonsenft closed this as completed Jun 7, 2017

redcrossp mentioned this issue Jul 30, 2019

dartdoc should sanitize html #1995

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Should dartdoc escape HTML? #1458

Should dartdoc escape HTML? #1458

leonsenft commented Jun 7, 2017

leonsenft commented Jun 7, 2017

Uh oh!

redcrossp commented Jul 30, 2019

Uh oh!

Should dartdoc escape HTML? #1458

Should dartdoc escape HTML? #1458

Comments

leonsenft commented Jun 7, 2017

leonsenft commented Jun 7, 2017

Uh oh!

redcrossp commented Jul 30, 2019

Uh oh!