Document security assumptions

[obilodeau]

As discussed on Gitter, some security assumptions regarding AsciiDoctor (and to an extent, the AsciiDoc language) should be documented.

For example, passthrough blocks can be used to inject javascript directly into the HTML rendered by asciidoctor. This is unsurprising and, in fact, a feature. But other places don't sanitize for HTML too, like the id parameter [id=...] where quotes can be passed resulting in injection into an HTML attribute which can also be exploited.

Hosting a service on the Web allowing untrusted AsciiDoc input could lead to XSS and SSRF by design even in safe mode. Extra care should be taken if you are doing this.

Roughly, here's the raw material for an eventual policy discussed on Gitter:

Asciidoctor does reasonable escaping to allow an author to safely type text, but not to limit what can be passed through. The reason for this policy is that we expect that the document will be passed through a sanitizer if the HTML is to be embedded directly into another context.

And that's exactly with GitHub and GitLab do.

[snip] [The] reason for this policy, [... is ...] it really wouldn't be possible for Asciidoctor to fully handle all the necessary rules without severally restricting its usefulness.

p.s.: sorry if this issue is succinct but I lost the text of the original issue due to a tab crash

[mojavelinux]

Done: https://docs.asciidoctor.org/asciidoctor/latest/safe-modes/#security-assumptions

If you have anything else to add, I encourage you to click "Edit this Page" and submit your revisions.