@@ -205,6 +205,75 @@ Yields, in [hast][] (**note**: the `pre` and `language-js` class are normal
205205}
206206```
207207
208+ ## Security
209+
210+ Use of ` mdast-util-to-hast ` can open you up to a
211+ [ cross-site scripting (XSS)] [ xss ] attack.
212+ Embedded hast properties (` hName ` , ` hProperties ` , ` hChildren ` ), custom handlers,
213+ and the ` allowDangerousHTML ` option all provide openings.
214+
215+ The following example shows how a script is injected where a benign code block
216+ is expected with embedded hast properties:
217+
218+ ``` js
219+ var code = {type: ' code' : ' alert(1)'
220+
221+ code .data = {hName: ' script'
222+ ```
223+
224+ Yields:
225+
226+ ``` html
227+ <script >alert (1 )script >
228+ ```
229+
230+ The following example shows how an image is changed to fail loading and
231+ therefore run code in a browser.
232+
233+ ``` js
234+ var image = {type: ' image' : ' existing.png'
235+
236+ image .data = {hProperties: {src: ' missing' : ' alert(2)'
237+ ```
238+
239+ Yields:
240+
241+ ``` html
242+ <img src =" missing" onerror =" alert(2)"
243+ ```
244+
245+ The following example shows the default handling of embedded HTML:
246+
247+ ``` markdown
248+ # Hello
249+
250+ <script>alert(3)</script>
251+ ```
252+
253+ Yields:
254+
255+ ``` html
256+ <h1 >Hello</h1 >
257+ ```
258+
259+ Passing ` allowDangerousHTML: true ` to ` mdast-util-to-hast ` is typically still
260+ not enough to run unsafe code:
261+
262+ ``` html
263+ <h1 >Hello</h1 >
264+ < ; script>alert(3)< ; /script>
265+ ```
266+
267+ If ` allowDangerousHTML: true ` is also given to ` hast-util-to-html ` (or
268+ ` rehype-stringify ` ), the unsafe code runs:
269+
270+ ``` html
271+ <h1 >Hello</h1 >
272+ <script >alert (3 )script >
273+ ```
274+
275+ Use [ ` hast-util-santize ` ] [ sanitize ] to make the hast tree safe.
276+
208277## Related
209278
210279* [ ` mdast-util-to-nlcst ` ] ( https://github.com/syntax-tree/mdast-util-to-nlcst )
@@ -296,6 +365,8 @@ abide by its terms.
296365
297366[ raw ] : https://github.com/syntax-tree/hast-util-raw
298367
368+ [ sanitize ] : https://github.com/syntax-tree/hast-util-sanitize
369+
299370[ remark-rehype ] : https://github.com/remarkjs/remark-rehype
300371
301372[ remark-frontmatter ] : https://github.com/remarkjs/remark-frontmatter
@@ -311,3 +382,5 @@ abide by its terms.
311382[ hproperties ] : #hproperties
312383
313384[ hchildren ] : #hchildren
385+
386+ [ xss ] : https://en.wikipedia.org/wiki/Cross-site_scripting
0 commit comments