Skip to content

Commit d9484c8

Browse files
wooormwooorm
committed
Add notes on security
1 parent cd6acf5 commit d9484c8

File tree

1 file changed

+73
-0
lines changed

1 file changed

+73
-0
lines changed

readme.md

Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -205,6 +205,75 @@ Yields, in [hast][] (**note**: the `pre` and `language-js` class are normal
205205
}
206206
```
207207

208+
## Security
209+
210+
Use of `mdast-util-to-hast` can open you up to a
211+
[cross-site scripting (XSS)][xss] attack.
212+
Embedded hast properties (`hName`, `hProperties`, `hChildren`), custom handlers,
213+
and the `allowDangerousHTML` option all provide openings.
214+
215+
The following example shows how a script is injected where a benign code block
216+
is expected with embedded hast properties:
217+
218+
```js
219+
var code = {type: 'code', value: 'alert(1)'}
220+
221+
code.data = {hName: 'script'}
222+
```
223+
224+
Yields:
225+
226+
```html
227+
<script>alert(1)</script>
228+
```
229+
230+
The following example shows how an image is changed to fail loading and
231+
therefore run code in a browser.
232+
233+
```js
234+
var image = {type: 'image', url: 'existing.png'}
235+
236+
image.data = {hProperties: {src: 'missing', onError: 'alert(2)'}}
237+
```
238+
239+
Yields:
240+
241+
```html
242+
<img src="missing" onerror="alert(2)">
243+
```
244+
245+
The following example shows the default handling of embedded HTML:
246+
247+
```markdown
248+
# Hello
249+
250+
<script>alert(3)</script>
251+
```
252+
253+
Yields:
254+
255+
```html
256+
<h1>Hello</h1>
257+
```
258+
259+
Passing `allowDangerousHTML: true` to `mdast-util-to-hast` is typically still
260+
not enough to run unsafe code:
261+
262+
```html
263+
<h1>Hello</h1>
264+
&#x3C;script>alert(3)&#x3C;/script>
265+
```
266+
267+
If `allowDangerousHTML: true` is also given to `hast-util-to-html` (or
268+
`rehype-stringify`), the unsafe code runs:
269+
270+
```html
271+
<h1>Hello</h1>
272+
<script>alert(3)</script>
273+
```
274+
275+
Use [`hast-util-santize`][sanitize] to make the hast tree safe.
276+
208277
## Related
209278

210279
* [`mdast-util-to-nlcst`](https://github.com/syntax-tree/mdast-util-to-nlcst)
@@ -296,6 +365,8 @@ abide by its terms.
296365

297366
[raw]: https://github.com/syntax-tree/hast-util-raw
298367

368+
[sanitize]: https://github.com/syntax-tree/hast-util-sanitize
369+
299370
[remark-rehype]: https://github.com/remarkjs/remark-rehype
300371

301372
[remark-frontmatter]: https://github.com/remarkjs/remark-frontmatter
@@ -311,3 +382,5 @@ abide by its terms.
311382
[hproperties]: #hproperties
312383

313384
[hchildren]: #hchildren
385+
386+
[xss]: https://en.wikipedia.org/wiki/Cross-site_scripting

0 commit comments

Comments
 (0)