While special care has been taken to prevent some of the more common common
vulnerabilities that might arise from using this parser, it does not prevent
certain issues which which should be acknowledged.
It is possible to inject a form of one-click XSS into the website. In
particular, there are no restrictions placed on urls embedded within the links
(as per the description of CommonMark specification). As such, something as
simple as [test](<javascript:dangerous code here>) would be more than enough
to employ such an exploit.
While generally speaking the parser acts stable on most tests, and precents
stray HTML tokens from occuring in the output text where appropriate, due to
the nontrivial nature of the task some form of XSS injection may or may not
occur. If such an incident occurs, please report it to the current maintainer
of the project.
User input should NOT be trusted when it comes to applying options to
rendering. Some renderers, such as the HTML renderer, allow modifying the
style parameter for rendered tags, which when passed control of to an
untrusted party may become an XSS attack vector.