Attack scenario

Result

Please check this website.

As you can see, Iframe and JS(JS vector is not working as it is not executed as per CSP policy) are present in the website.

How?

please consider code:

/// <iframe width="560" height="315" src="https://www.youtube.com/embed/owsfdh4gxyc" frameborder="0" allowfullscreen></iframe>
class Llama {
  final String _name;

  Llama(this._name);

  /// llama <iframe src="javascript:alert(42)"></iframe>
  String get name => _name;

  /// <svg onload=confirm(24)>
  void BBQ() => null;
}

As you can see, dartdocs contains iframe definitions. The html was not properly excluded from generated page and I was able to inject doggy data to the docs.