https://issues.dlang.org/show_bug.cgi?id=17391
--- Comment #3 from Vladimir Panteleev <thecybersha...@gmail.com> --- (In reply to Cédric Picard from comment #2) > I was not aware that it is so by design. However if it is a design decision > I believe the security consequences should be made very explicit and clear > in DDOC's documentation so that people avoid distributing third-party > projects' documentation or do it very carefuly. As I understand, this only matters from a security standpoint when DDoc output is placed on the same domain as some dynamic content being targeted. > Limiting the use to some tags would help the usability issue but not the > security one. As I understand, there is no usability issue here because it's working as designed. Use $(LT) and $(GT) (or < and > if you don't care about any output formats other than HTML) for < and >. Anyway, limiting the use of some tags probably wouldn't work because the document template is likely to have some macros involving script tags (or allowing constructing aribitrary HTML tags, such as dlang.org's $(TAG) macro). Fixing it from this angle would be much more complicated. --
