security considerations document

mmmdpp.rb

@@ -1,6 +1,5 @@
+#!/bin/ruby
+# frozen_string_literal: true
+
+require 'optionparser'
 
-if __FILE__ == $0
-  text = $stdin.read
-  renderer = MDPP::Renderer.new(text, {})
-  puts renderer.render
-end

security.md

@@ -0,0 +1,21 @@
+Security acknowledgements
+=========================
+
+While special care has been taken to prevent some of the more common common
+vulnerabilities that might arise from using this parser, it does not prevent
+certain issues which **which should be acknowledged**.
+
+- It is possible to inject a form of one-click XSS into the website. In
+  particular, there are no restrictions placed on urls embedded within the links
+  (as per the description of CommonMark specification). As such, something as
+  simple as `[test](<javascript:dangerous code here>)` would be more than enough
+  to employ such an exploit.
+- While generally speaking the parser acts stable on most tests, and precents
+  stray HTML tokens from occuring in the output text where appropriate, due to
+  the nontrivial nature of the task some form of XSS injection may or may not
+  occur. If such an incident occurs, please report it to the current maintainer
+  of the project.
+- User input should NOT be trusted when it comes to applying options to
+  rendering. Some renderers, such as the HTML renderer, allow modifying the
+  style parameter for rendered tags, which when passed control of to an
+  untrusted party may become an XSS attack vector.