Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rustdoc: parenthetical after attribute syntax breaks HTML #14814

Closed
kmcallister opened this issue Jun 11, 2014 · 12 comments
Closed

rustdoc: parenthetical after attribute syntax breaks HTML #14814

kmcallister opened this issue Jun 11, 2014 · 12 comments
Labels
T-rustdoc Relevant to the rustdoc team, which will review and decide on the PR/issue.

Comments

@kmcallister
Copy link
Contributor 

/// Declare with
/// #[foo] (my favorite attribute)
#[foo]
pub fn main() { }

produces

<pre class='rust fn'>pub fn main()</pre><div class='docblock'><p>Declare with</p>

<h1 id="<a-href="my%20favorite%20attribute">foo</a>" class='section-header'><a
                           href="#<a-href="my%20favorite%20attribute">foo</a>"><a href="my%20favorite%20attribute">foo</a></a></h1>

because it parses as a Markdown link. The right thing to do is put backtics around the attribute syntax, but this is still a really confusing failure.

It would also be an XSS vulnerability if we hosted docs generated from user contributed libraries:

/// Declare with
/// #[foo] (my favorite attribute) <script>alert(document.cookie)</script>

But the conservative solution there is to put user content on another origin (e.g. rust-user-content.org) which doesn't hold any credentials.
@huonw
Copy link
Member

huonw commented Jun 11, 2014

HTML in markdown get interpreted literally i.e.

/// <script>alert("hi");</script>
fn foo() {}

is also an XSS risk:

<div class='docblock'><script>alert("hi");</script>
</div></section>

@alexcrichton
Copy link
Member

The first one I view as a fact of using markdown, and can be fixed with:

/// Declare with
/// \#[foo] \(my favorite attribute)
#[foo]
pub fn main() { }

The second one I view as bit of not a bug because you're the one writing documentation, so it's not necessarily XSS because no one is injecting anything into your page?

@huonw
Copy link
Member

huonw commented Jun 11, 2014

If we had a public service hosting documentation (well, anyone hosting such things, I guess Rust CI may be affected), then someone can write a Rust library that injects javascript into that site, meaning it should be hosted on something with no credentials.

@kmcallister kmcallister added the T-rustdoc Relevant to the rustdoc team, which will review and decide on the PR/issue. label Sep 27, 2014
@tomjakubowski
Copy link
Contributor

It would probably be reasonable to add an option to rustdoc which enables Hoedown's HTML_ESCAPE or HTML_SKIP for this case of hosting rustdocs on a site with some kind of credentials in use, or perhaps one that uses a post-processor to remove <script> tags and javascript: links and event attributes (onclick et al.) from the generated HTML.

@kmcallister
Copy link
Contributor Author

a post-processor to remove <script> tags and javascript: links and event attributes (onclick et al.) from the generated HTML.

Doing this safely requires completely parsing the HTML and whitelisting tags / attributes at the AST level, then re-serializing as well-formed HTML. Anything short of that will have loopholes due to browsers' attempts to interpret seriously malformed HTML (see The Tangled Web chapter 4).

@alexcrichton
Copy link
Member

I'm going to close this as not-a-bug as by using Markdown we're committing ourselves to one form of syntax or another, and any XSS vulnerabilities or vectors would probably be handled when we set up hosting!

@tomjakubowski
Copy link
Contributor

I'd recommend that we make a very clear warning somewhere that hosting docs for arbitrary crates opens up XSS attacks and proper precautions should be taken. It's important to remember that crates.io isn't the only domain hosting rustdocs.


Sent from Mailbox

On Mon, Apr 6, 2015 at 3:18 PM, Alex Crichton notifications@github.com
wrote:

I'm going to close this as not-a-bug as by using Markdown we're committing ourselves to one form of syntax or another, and any XSS vulnerabilities or vectors would probably be handled when we set up hosting!

Reply to this email directly or view it on GitHub:
#14814 (comment)

@tomjakubowski
Copy link
Contributor

Er, I mean docs.rust-lang.org or whatever. Although it's conceivable that crates.io (or a sub domain) will host docs as well some day.


Sent from Mailbox

On Mon, Apr 6, 2015 at 3:18 PM, Alex Crichton notifications@github.com
wrote:

Closed #14814.

Reply to this email directly or view it on GitHub:
#14814 (comment)

@kmcallister
Copy link
Contributor Author

Better register crates-user-content.io...

@kmcallister
Copy link
Contributor Author

Doing this safely requires completely parsing the HTML and whitelisting tags / attributes at the AST level, then re-serializing as well-formed HTML.

fwiw I think html5ever is up to this task now.

@alexcrichton alexcrichton mentioned this issue Apr 7, 2015
Closed
@alexcrichton
Copy link
Member

@tomjakubowski good idea! I've opened #24160

@lambda-fairy
Copy link
Contributor

@kmcallister According to rust-lang/crates.io#91, some members of the community have reserved rustdoc.org and doc.rs for this purpose. So getting a domain is not a blocker.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
T-rustdoc Relevant to the rustdoc team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alexcrichton @kmcallister @tomjakubowski @huonw @lambda-fairy