110 points | by joshka 4 days ago ago
6 comments
Completely appalled to learn that docs.rs lets you inject any html/css/js you want into the live site (on pages documenting your crate). I love the flexibility but shudder at the security hole the size of, oh, I don’t know, the Grand Canyon.
It’s not a new discovery, I just didn’t know docs.rs (intentionally) wasn’t blocking this. Cf https://docs.rs/pwnies/0.0.13/pwnies/
Yea, it’s technically a bad idea but on the other hand there’s nothing there to steal.
How have other doc providers handled multilingual code highlighting at scale?
Also, seems clever to use custom elements to reduce `<span class="highlight-whatever">` to `<a-k>`.
The link does not work
this looks like a truly amazing piece of work. props to the author for doing a very thorough job.
Amos is horrifyingly productive!
Completely appalled to learn that docs.rs lets you inject any html/css/js you want into the live site (on pages documenting your crate). I love the flexibility but shudder at the security hole the size of, oh, I don’t know, the Grand Canyon.
It’s not a new discovery, I just didn’t know docs.rs (intentionally) wasn’t blocking this. Cf https://docs.rs/pwnies/0.0.13/pwnies/
Yea, it’s technically a bad idea but on the other hand there’s nothing there to steal.
How have other doc providers handled multilingual code highlighting at scale?
Also, seems clever to use custom elements to reduce `<span class="highlight-whatever">` to `<a-k>`.
The link does not work
this looks like a truly amazing piece of work. props to the author for doing a very thorough job.
Amos is horrifyingly productive!