Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Docs] Add warning about XSS #149

Open
wants to merge 2 commits into
base: gh-pages
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,20 @@

Tiny, fast, efficient, feature rich Javascript library to detect links / URLs / Emails in text and convert them to clickable HTML anchor links.

> **⚠️ Warning**
>
> Output is not guaranteed to be [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting)-safe. If you call `anchorme` on untrusted user input, make sure to properly sanitize the output immediately before rendering, using a well-tested library such as [DOMPurify](https://github.com/cure53/DOMPurify). For example:
>
> ```js
> el.innerHTML = DOMPurify.sanitize(anchorme(userInput)); // ✅ safe, assuming DOMPurify is correctly configured for your use case and threat model
> el.textContent = anchorme.list(userInput).map((x) => x.string).join(', '); // ✅ safe, as we're only setting text, not rendering HTML
> el.innerHTML = anchorme(TRUSTED_CONTENT_FROM_CMS); // ✅ safe, as we trust the input
>
> el.innerHTML = anchorme(userInput); // 🚨 unsafe
> el.innerHTML = anchorme(DOMPurify.sanitize(userInput)); // 🚨 unsafe, as sanitization must be performed on output, not input
> el.innerHTML = anchorme.list(userInput).map((x) => x.string).join(', '); // 🚨 unsafe, as we're still setting innerHTML
> ```

## Main features

- **Sensitivity**:
Expand Down
4 changes: 1 addition & 3 deletions index.html
Original file line number Diff line number Diff line change
Expand Up @@ -151,9 +151,7 @@ <h1 id="demo" class="page-header">
<div class="row">
<div class="col-md-6">
<textarea
onkeydown="refresh();"
onkeyup="refresh();"
onchange="refresh();"
oninput="refresh();"
id="input"
style="width: 100%; height: 1000px;"
>
Expand Down