yukulele
commented
2 years ago Open gmatuz opened 3 years ago
yukulele
commented
2 years ago 
arnolem
commented
1 year ago Version 1.1.2 seems safe
lionel-rowe
commented
1 month ago Version 1.1.2 seems safe
"Seems safe", two words any web developer should be rightfully terrified of 😱
I think the correct fix for this is to explicitly state in documentation that the library is almost certainly not XSS-safe, most likely never will be, and that it's up to the consumer to properly mitigate XSS by sanitizing the output of anchorme if calling it on untrusted user input. There are plenty of well-tested solutions out there for doing this, such as DOMPurify.
See showdown's article on XSS, which they link to from their README, for a great example of how to document this stuff.
There are character sequences that would be understood as benign by most sanitisers that when they are passed through anchorme result in javascript execution. I'll omit examples for obvious reasons, please reach out if you would like to know more.
Add to that based on a small research it is obvious that users of the library do not know that the output of anchore me should not be trusted to be free of potentially malicious javascript. I think there is an argument to try to do sanitization (or at least make it a default switchable option), because that is how people often use the library and it is possibly beneficial to be safe by default. That said even if this was not the preferred option the fact that people are often using it in an unsafe way shows that it would be useful to have at least some sort of disclaimer that clarifies the security model of anchorme.