jsdoc icon indicating copy to clipboard operation
jsdoc copied to clipboard
verified publisher icon jsdoc

Is the comment html code injection a bug or a feature?

Open syonfox opened this issue 3 years ago • 0 comments

Looks like there is still some injection after https://github.com/jsdoc/jsdoc/issues/1908

not sure if its related yet

Input code

/**
 * <script> alert("cool jsdocs code injection")</script>
 * @class BS
 * @namespace bs */
let bs = {
	/**
	* @param foo
	* @returns {*}
	*/
	myFunc:(foo)=>{console.log("hello World")}
}

JSDoc configuration

mkdir test
nano test; # past in above
npm install -g jsdoc
jsdoc test.js -d decs
firefox /docs/index.html

Expected behavior

Probably escape any js but allow injecting html ?

Current behavior

embed script tag in docs and they execute. Mayby its a feature. But it should probably have an compile option sorry if i missed somthing, Happy coding

Your environment

Software Version
JSDoc JSDoc 3.6.10 (Tue, 25 Jan 2022 02:05:39 GMT)
Node.js NA
npm 8.6.0
OS 10.0-14-amd64 #1 SMP Debian 5.10.113-1 (2022-04-29) x86_64 GNU/Linux

syonfox avatar Jun 01 '22 00:06 syonfox