File tree Expand file tree Collapse file tree 1 file changed +16
-0
lines changed Expand file tree Collapse file tree 1 file changed +16
-0
lines changed Original file line number Diff line number Diff line change @@ -69,6 +69,7 @@ The latest released version is [`3.0.0`][latest].
6969* [ Glossary] ( #glossary )
7070* [ List of Utilities] ( #list-of-utilities )
7171* [ References] ( #references )
72+ * [ Security] ( #security )
7273* [ Contribute] ( #contribute )
7374* [ Acknowledgments] ( #acknowledgments )
7475* [ License] ( #license )
@@ -1387,6 +1388,15 @@ See the [unist list of utilities][utilities] for more utilities.
13871388 C. McCormack.
13881389 W3C.
13891390
1391+ ## Security
1392+
1393+ As mdast can contain HTML and be used to represent HTML, and improper use of
1394+ HTML can open you up to a [ cross-site scripting (XSS)] [ xss ] attack, improper use
1395+ of mdast is also unsafe.
1396+ When transforming to HTML (typically through [ ** hast** ] [ hast ] ), always be
1397+ careful with user input and use [ ` hast-util-santize ` ] [ sanitize ] to make the hast
1398+ tree safe.
1399+
13901400## Contribute
13911401
13921402See [ ` contributing.md ` ] [ contributing ] in [ ` syntax-tree/.github ` ] [ health ] for
@@ -1580,3 +1590,9 @@ projects!
15801590[ unified ] : https://github.com/unifiedjs/unified
15811591
15821592[ remark ] : https://github.com/remarkjs/remark
1593+
1594+ [ xss ] : https://en.wikipedia.org/wiki/Cross-site_scripting
1595+
1596+ [ hast ] : https://github.com/syntax-tree/hast
1597+
1598+ [ sanitize ] : https://github.com/syntax-tree/hast-util-sanitize
You can’t perform that action at this time.
0 commit comments