Add Security

2025-04-03 22:36:03 +00:00 · 2025-04-03 22:36:03 +00:00 · 3b3275f1f2
parent f45d4a9ee7
commit 3b3275f1f2
1 changed files with 21 additions and 0 deletions
--- a/Security.md
+++ b/Security.md
@ -0,0 +1,21 @@
+Security acknowledgements
+=========================
+
+While special care has been taken to prevent some of the more common common
+vulnerabilities that might arise from using this parser, it does not prevent
+certain issues which **which should be acknowledged**.
+
+- It is possible to inject a form of one-click XSS into the website. In
+  particular, there are no restrictions placed on urls embedded within the links
+  (as per the description of CommonMark specification). As such, something as
+  simple as `[test](<javascript:dangerous code here>)` would be more than enough
+  to employ such an exploit.
+- While generally speaking the parser acts stable on most tests, and precents
+  stray HTML tokens from occuring in the output text where appropriate, due to
+  the nontrivial nature of the task some form of XSS injection may or may not
+  occur. If such an incident occurs, please report it to the current maintainer
+  of the project.
+- User input should NOT be trusted when it comes to applying options to
+  rendering. Some renderers, such as the HTML renderer, allow modifying the
+  style parameter for rendered tags, which when passed control of to an
+  untrusted party may become an XSS attack vector.