John McCardle
7f253da581
Fixes HTML injection vulnerability in generate_dynamic_docs.py where description text was not HTML-escaped before being inserted into HTML output. Special characters like <, >, & could be interpreted as HTML. Changes: - Modified transform_doc_links() to escape all non-link text when format='html' or format='web' - Link text and hrefs are also properly escaped - Non-HTML formats (markdown, python) remain unchanged - Added proper handling for descriptions with mixed plain text and links The fix splits docstrings into link and non-link segments, escapes non-link segments, and properly escapes content within link patterns. Tested with comprehensive test suite covering: - Basic HTML special characters - Special chars with links - Special chars in link text - Multiple links with special chars 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| generate_api_docs.py | ||
| generate_api_docs_html.py | ||
| generate_api_docs_simple.py | ||
| generate_color_table.py | ||
| generate_complete_api_docs.py | ||
| generate_complete_markdown_docs.py | ||
| generate_dynamic_docs.py | ||
| generate_stubs.py | ||
| generate_stubs_v2.py | ||
| gitea_issues.py | ||
| test_link_transform.py | ||
| test_vector_docs.py | ||
| ui_methods_documentation.py | ||