Warn in README about sanitizing input first

gregjacobs / Autolinker.js

Utility to Automatically Link URLs, Email Addresses, Phone Numbers, Twitter handles, and Hashtags in a given block of text/HTML

MIT License

1.48k stars 238 forks source link

Warn in README about sanitizing input first #23

Closed ustun closed 8 years ago

ustun commented 10 years ago

If the user doesn't sanitize the input before passing to Autolinker, and then she feeds it to the DOM in that form, it will be a security issue. This is probably obvious for most, but still needs to be mentioned I think.

https://code.google.com/p/google-caja/wiki/JsHtmlSanitizer Caja sanitizer could be linked from there as an example.

cooervo commented 6 years ago

Does this provide protection against XSS?

Sanitize html
Use autolinker

gregjacobs commented 6 years ago

Not sure actually. I'm not too familiar with xss other than to make sure users can't add Githubissues.

Githubissues is a development platform for aggregating issues.