You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug <a id="..." and <a name="..." and <a href="..." are containing weird values.
Here's an example (yes, this whole thing is ONE id, except it's invalid because it contains quotes and they're not escaped):
Expected behaviour
Short and valid references within the docs. Not exposing local file paths of the build machine / CI that creates the docs (it might be a security risk based on the threat model).
Additional context
Looks like a deep toString of some DSL object, so it might be a trivial fix. Also note that the value is used raw without any HTML escaping, so it's generates invalid/unsafe HTML with easy injection point.
The text was updated successfully, but these errors were encountered:
Wow, that's bad. Thanks for noticing and reporting it, and especially thanks for the reproducer - I was able to find the cause very quickly.
Looks like a deep toString of some DSL object
Indeed, the problem was basically this:
when(sealed) {
...
else-> sealed.toString()
}
There was no branch for typealias declarations, so it defaulted to toString()
Since we're doing when on a sealed class, I've removed the else branch and added implementations for remaining cases, so hopefully it doesn't happen again.
Describe the bug
<a id="..."
and<a name="..."
and<a href="..."
are containing weird values.Here's an example (yes, this whole thing is ONE
id
, except it's invalid because it contains quotes and they're not escaped):Expected behaviour
Short and valid references within the docs. Not exposing local file paths of the build machine / CI that creates the docs (it might be a security risk based on the threat model).
Screenshots
To Reproduce
gradlew dokkaJavadoc
common\build\dokka\javadoc\net\twisterrob\gradle\common\VariantTaskCreator.html
or inspectvariantConfig
method's link or anchor.Dokka configuration
Configuration of dokka used to reproduce the bug
Installation
Additional context
Looks like a deep
toString
of some DSL object, so it might be a trivial fix. Also note that the value is used raw without any HTML escaping, so it's generates invalid/unsafe HTML with easy injection point.The text was updated successfully, but these errors were encountered: