Recently a vulnerability was discovered in markup5ever's RcDom
implementation that could cause a DoS in a user-facing system that
relied on it for parsing or serialization. RcDom was never intended to
be a production-quality implementation, but it has traditionally been
exposed as a public part of markup5ever and then re-exposed as part of
both html5ever and xml5ever.
Given this state of affairs, and my desire to focus the Servo team's
efforts on the only DOM implementation that matters to us (namely the
custom one inside Servo), I want to move RcDom out of
markup5ever/html5ever/xml5ever's public APIs and into a crate that
contains lots of clear, scary warnings about why it shouldn't be
depended upon in production systems and ensure that anybody doing so
understands the support they should expect (none).
I have opened https://github.com/servo/html5ever/pull/386 for these
changes. I've listened some of the benefits and drawbacks to publishing
the new markup5ever_rcdom crate, and I would be interested in feedback
on the best course of action here.
Cheers,
Josh
_______________________________________________
dev-servo mailing list
dev-servo@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-servo
