Should dartdoc escape HTML?

[leonsenft]

HTML written in a doc comment isn't escaped, and is thus rendered by the browser as HTML elements instead of text. Here's an example from AngularDart's documentation. Notice the <button>Increment</button> in the component template is rendered as an actual button.

Is this intended as a feature that you can write HTML in your documentation? Or should dartdoc escape HTML-sensitive characters in doc comments to prevent this?

[leonsenft]

I just realized the reason this occurred in the sample I linked was because the example wasn't properly enclosed in a code block.

[redcrossp]

This issue should be reopened for discussion. I recently found this problem when l labeling an input parameter in a comment; something like:

/// Generates a filtered image at <name>.bmp
void generateOutlineBitmap(String name, /* etc ... */) {

The generated html includes a name tag, and this exploit could be leveraged for harmful attacks. It seems that an html-generating program should sanitize its input for this.