info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Request for comment: ending support for rcdom implementation
33 views
Skip to first unread message
Josh Bowman-Matthews
Jul 20, 2019, 11:06:54 PM7/20/19
to dev-...@lists.mozilla.org
Recently a vulnerability was discovered in markup5ever's RcDom
implementation that could cause a DoS in a user-facing system that
relied on it for parsing or serialization. RcDom was never intended to
be a production-quality implementation, but it has traditionally been
exposed as a public part of markup5ever and then re-exposed as part of
both html5ever and xml5ever.
Given this state of affairs, and my desire to focus the Servo team's
efforts on the only DOM implementation that matters to us (namely the
custom one inside Servo), I want to move RcDom out of
markup5ever/html5ever/xml5ever's public APIs and into a crate that
contains lots of clear, scary warnings about why it shouldn't be
depended upon in production systems and ensure that anybody doing so
understands the support they should expect (none).
I have opened https://github.com/servo/html5ever/pull/386 for these
changes. I've listened some of the benefits and drawbacks to publishing
the new markup5ever_rcdom crate, and I would be interested in feedback
on the best course of action here.
Cheers,
Josh
implementation that could cause a DoS in a user-facing system that
relied on it for parsing or serialization. RcDom was never intended to
be a production-quality implementation, but it has traditionally been
exposed as a public part of markup5ever and then re-exposed as part of
both html5ever and xml5ever.
Given this state of affairs, and my desire to focus the Servo team's
efforts on the only DOM implementation that matters to us (namely the
custom one inside Servo), I want to move RcDom out of
markup5ever/html5ever/xml5ever's public APIs and into a crate that
contains lots of clear, scary warnings about why it shouldn't be
depended upon in production systems and ensure that anybody doing so
understands the support they should expect (none).
I have opened https://github.com/servo/html5ever/pull/386 for these
changes. I've listened some of the benefits and drawbacks to publishing
the new markup5ever_rcdom crate, and I would be interested in feedback
on the best course of action here.
Cheers,
Josh
0 new messages