-
Type:
Enhancement
-
Resolution: Unresolved
-
Priority:
P4
-
Affects Version/s: None
-
Component/s: tools
-
None
-
generic
-
generic
JavaDoc currently uses a blacklist approach to detect inclusion of JavaScript in HTML attributes.
https://github.com/openjdk/jdk/blob/master/src/jdk.javadoc/share/classes/jdk/javadoc/internal/doclets/toolkit/util/JavaScriptScanner.java#L64-L70
However, new attributes are being added to the HTML standard, and some of them may support values that contain JavaScript.
https://html.spec.whatwg.org/multipage/indices.html#attributes-3
Since it is impossible to keep up with the evolving HTML standard, we should err on the side of safety and switch to a whiltelist approach, scanning all attributes except those that are known to be safe. The risk for false positivies is very small with this approach, because it should be very rare for new or unknown attributes to be used in API documentation, even rarer for such attributes to contain text resembling a javadoc: URL.
https://github.com/openjdk/jdk/blob/master/src/jdk.javadoc/share/classes/jdk/javadoc/internal/doclets/toolkit/util/JavaScriptScanner.java#L64-L70
However, new attributes are being added to the HTML standard, and some of them may support values that contain JavaScript.
https://html.spec.whatwg.org/multipage/indices.html#attributes-3
Since it is impossible to keep up with the evolving HTML standard, we should err on the side of safety and switch to a whiltelist approach, scanning all attributes except those that are known to be safe. The risk for false positivies is very small with this approach, because it should be very rare for new or unknown attributes to be used in API documentation, even rarer for such attributes to contain text resembling a javadoc: URL.