On Thursday, 1 February 2018 at 14:51:41 UTC, ag0aep6g wrote:
On 02/01/2018 07:18 AM, Seb wrote:
It tells quite a bit about the complexity of Ddoc that I had
to add support for -D to run.dlang.io ...
[...]
I'm not a fan of Ddoc by any means, but that has been fixed in
Ddoc does this too now: https://run.dlang.io/is/75Z55o
Uhh, is it a good idea to generate documentation on
run.dlang.io? Isn't this an open invitation for XSS?
Simple example, one can replace all links on the page with
malicious ones:
https://run.dlang.io/is/wYLpVx
I don't think it's a big problem as user needs to explicitly
approve the code by hitting Run.
Also all the other Web editors (JSBin, JSFiddle etc.) allow you
to do the same and even load the HTML + JS when you open the page.
Nevertheless, I added the "sandbox" feature of IFrames:
https://www.html5rocks.com/en/tutorials/security/sandboxed-iframes
-> now even any kind of JS code can't be executed.
Thanks!
