From 3fd7e48907277ce105c4fe4f0f3b6a738cca3d92 Mon Sep 17 00:00:00 2001
From: Yessiest <yessiest@memeware.net>
Date: Fri, 7 Mar 2025 21:30:23 +0000
Subject: [PATCH] security considerations document

---
 mmmdpp.rb   |  9 ++++-----
 security.md | 21 +++++++++++++++++++++
 2 files changed, 25 insertions(+), 5 deletions(-)
 create mode 100644 security.md

diff --git a/mmmdpp.rb b/mmmdpp.rb
index 2cc7043..ddff607 100644
--- a/mmmdpp.rb
+++ b/mmmdpp.rb
@@ -1,6 +1,5 @@
+#!/bin/ruby
+# frozen_string_literal: true
+
+require 'optionparser'
 
-if __FILE__ == $0
-  text = $stdin.read
-  renderer = MDPP::Renderer.new(text, {})
-  puts renderer.render
-end
diff --git a/security.md b/security.md
new file mode 100644
index 0000000..e25ed5e
--- /dev/null
+++ b/security.md
@@ -0,0 +1,21 @@
+Security acknowledgements
+=========================
+
+While special care has been taken to prevent some of the more common common
+vulnerabilities that might arise from using this parser, it does not prevent
+certain issues which **which should be acknowledged**.
+
+- It is possible to inject a form of one-click XSS into the website. In
+  particular, there are no restrictions placed on urls embedded within the links
+  (as per the description of CommonMark specification). As such, something as
+  simple as `[test](<javascript:dangerous code here>)` would be more than enough
+  to employ such an exploit.
+- While generally speaking the parser acts stable on most tests, and precents
+  stray HTML tokens from occuring in the output text where appropriate, due to
+  the nontrivial nature of the task some form of XSS injection may or may not
+  occur. If such an incident occurs, please report it to the current maintainer
+  of the project.
+- User input should NOT be trusted when it comes to applying options to
+  rendering. Some renderers, such as the HTML renderer, allow modifying the
+  style parameter for rendered tags, which when passed control of to an
+  untrusted party may become an XSS attack vector.