alexcorvi / anchorme.js

Tiny, fast, efficient, feature rich Javascript library to detect links / URLs / Emails in text and convert them to clickable HTML anchor links
http://alexcorvi.github.io/anchorme.js/
MIT License
561 stars 64 forks source link

Mutation XSS + general sanitization #112

Open gmatuz opened 3 years ago

gmatuz commented 3 years ago

There are character sequences that would be understood as benign by most sanitisers that when they are passed through anchorme result in javascript execution. I'll omit examples for obvious reasons, please reach out if you would like to know more.

Add to that based on a small research it is obvious that users of the library do not know that the output of anchore me should not be trusted to be free of potentially malicious javascript. I think there is an argument to try to do sanitization (or at least make it a default switchable option), because that is how people often use the library and it is possibly beneficial to be safe by default. That said even if this was not the preferred option the fact that people are often using it in an unsafe way shows that it would be useful to have at least some sort of disclaimer that clarifies the security model of anchorme.

yukulele commented 2 years ago

https://github.com/advisories/GHSA-w4wq-rvmq-77x7

arnolem commented 1 year ago

Version 1.1.2 seems safe

lionel-rowe commented 6 months ago

Version 1.1.2 seems safe

"Seems safe", two words any web developer should be rightfully terrified of 😱

I think the correct fix for this is to explicitly state in documentation that the library is almost certainly not XSS-safe, most likely never will be, and that it's up to the consumer to properly mitigate XSS by sanitizing the output of anchorme if calling it on untrusted user input. There are plenty of well-tested solutions out there for doing this, such as DOMPurify.

See showdown's article on XSS, which they link to from their README, for a great example of how to document this stuff.