On Thursday, 1 February 2018 at 14:51:41 UTC, ag0aep6g wrote:
On 02/01/2018 07:18 AM, Seb wrote:
It tells quite a bit about the complexity of Ddoc that I had to add support for -D to run.dlang.io ...
[...]
I'm not a fan of Ddoc by any means, but that has been fixed in Ddoc does this too now: https://run.dlang.io/is/75Z55o

Uhh, is it a good idea to generate documentation on run.dlang.io? Isn't this an open invitation for XSS?

Simple example, one can replace all links on the page with malicious ones:
https://run.dlang.io/is/wYLpVx

I don't think it's a big problem as user needs to explicitly approve the code by hitting Run. Also all the other Web editors (JSBin, JSFiddle etc.) allow you to do the same and even load the HTML + JS when you open the page.

Nevertheless, I added the "sandbox" feature of IFrames:

https://www.html5rocks.com/en/tutorials/security/sandboxed-iframes

-> now even any kind of JS code can't be executed.
Thanks!

Reply via email to