Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Javadoc templates should escape/encode rendered data #2854

Open
IgnatBeresnev opened this issue Feb 10, 2023 · 1 comment
Open

Javadoc templates should escape/encode rendered data #2854

IgnatBeresnev opened this issue Feb 10, 2023 · 1 comment
Labels
enhancement An issue for a feature or an overall improvement format: Javadoc An issue/PR related to Dokka's Javadoc output format or the Javadoc comments in general

Comments

@IgnatBeresnev
Copy link
Member

Dokka's Javadoc format uses HTML templates and maps to set page data, like in the following snippet from JavadocContentToTemplateMapTranslator:

fun templateMapForDeprecatedPage(node: DeprecatedPage): TemplateMap =
    mapOf(
        "id" to node.name,
        "title" to "Deprecated",
        "kind" to "deprecated",
        "sections" to node.elements.toList().sortedBy { (section, _) -> section.getPosition() }
            .map { (s, e) -> templateMapForDeprecatedPageSection(s, e) }
    )

As can be seen, the data used for values is used as is, whatever is returned from the method/property being called, which can lead to bug such as #2803 in case there's an internal mistake.

The data should be properly escaped/encoded, including the links (see #2813)
@IgnatBeresnev IgnatBeresnev added enhancement An issue for a feature or an overall improvement format: Javadoc An issue/PR related to Dokka's Javadoc output format or the Javadoc comments in general labels Feb 10, 2023
@IgnatBeresnev IgnatBeresnev mentioned this issue Feb 10, 2023
Merged
@TWiStErRob
Copy link
Contributor

Note: the problem is not in the model creation, it's in the view itself. See the .korte files ideally there would be a filter like: {{ pathToRoot|urlEncode|htmlAttribute }} as shown at https://docs.korge.org/korte/filters/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement An issue for a feature or an overall improvement format: Javadoc An issue/PR related to Dokka's Javadoc output format or the Javadoc comments in general
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TWiStErRob @IgnatBeresnev