• via Digitalmars-d-bugs (29/29) May 10 2017 https://issues.dlang.org/show_bug.cgi?id=17391

via Digitalmars-d-bugs <digitalmars-d-bugs puremagic.com> writes:

https://issues.dlang.org/show_bug.cgi?id=17391

          Issue ID: 17391
           Summary: SECURITY: XSS through DDOC comments
           Product: D
           Version: D2
          Hardware: x86_64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P1
         Component: dmd
          Assignee: nobody puremagic.com
          Reporter: cpicard openmailbox.org

DDOC comments are not escaped and this results in a XSS vulnerability.

Proof of concept:

test.d:

    /// <script>alert(2)</script>
    void f() {
        return;
    }

$ dmd -D test.d
$ firefox test.html  -> an alert box appears

The security issue is clear although it requires manipulating the user to
compile and display malicious comments. But as compiling the documentation is
something many do before thoroughly reading the code it's still a valid
security issue.

Also, aside from that, it breaks valid documentation so there's a usability
issue as well.

--