rust-lang
Don't render playground code by default
Problem
A security and privacy improvement would be that the playground code in theme/book.js is not rendered to book/book.js upon build if not explicitly enabled in book.toml.
It is a security enhancement because it lowers the attack surface for remote code execution. Even if user sets runnable = false under [output.html.playground] the code is still available in rendered book.js, disabling it (if having Rust code) currently only removes <pre class="playground"> as mentioned in #2897 , i.e. it does not matter what type of book it is, if only using markdown that code is still there by default.
It is a privacy benefit because if using playgrounds, the rust code gets sent to a third party server. Having it disabled by default would make it possible to add to documentation that enabling this feature sends the rust code to a third party server, so only those comfortable with this will enable it.
Current workaround is to comment out playground code in themes/book.js as mentioned in #2887 .
Proposed Solution
There should be a value in book.toml which by default is set to false and this makes so no playground code is rendered in book/book.js.
Notes
No response
I'm not sure this is a good idea, playgrounds are an important feature of the book. The fact that the code is sent to the Playground is already documented too:
Rust language code blocks will automatically get a play button which will execute the code and display the output just below the code block. This works by sending the code to the Rust Playground.
https://rust-lang.github.io/mdBook/format/mdbook.html#rust-playground (emphasis mine)
It is a security enhancement because it lowers the attack surface for remote code execution
What do you mean by remote code execution? No external code is executed in your book or codebase, nor is any executed in the user's browser (and if you did find something like that, you should report it according to https://github.com/rust-lang/mdBook/security/policy, not in a public issue).
