mdast-util-to-hast - npm Package Compare versions

Comparing version 6.0.1 to 6.0.2

lib/handlers/footnote-reference.js

@@ -9,3 +9,3 @@ 'use strict'
   var footnoteOrder = h.footnoteOrder
-  var identifier = node.identifier
+  var identifier = String(node.identifier)
 
@@ -12,0 +12,0 @@ if (footnoteOrder.indexOf(identifier) === -1) {

lib/index.js

@@ -88,3 +88,3 @@ 'use strict'
   function onfootnotedefinition(definition) {
-    var id = definition.identifier.toUpperCase()
+    var id = String(definition.identifier).toUpperCase()
 
@@ -91,0 +91,0 @@ // Mimick CM behavior of link definitions.

package.json

 {
   "name": "mdast-util-to-hast",
-  "version": "6.0.1",
+  "version": "6.0.2",
   "description": "Transform mdast to hast",
@@ -5,0 +5,0 @@ "license": "MIT",

readme.md

@@ -208,2 +208,71 @@ # mdast-util-to-hast
 
+## Security
+
+Use of `mdast-util-to-hast` can open you up to a
+[cross-site scripting (XSS)][xss] attack.
+Embedded hast properties (`hName`, `hProperties`, `hChildren`), custom handlers,
+and the `allowDangerousHTML` option all provide openings.
+
+The following example shows how a script is injected where a benign code block
+is expected with embedded hast properties:
+
+```js
+var code = {type: 'code', value: 'alert(1)'}
+
+code.data = {hName: 'script'}
+```
+
+Yields:
+
+```html
+<script>alert(1)</script>
+```
+
+The following example shows how an image is changed to fail loading and
+therefore run code in a browser.
+
+```js
+var image = {type: 'image', url: 'existing.png'}
+
+image.data = {hProperties: {src: 'missing', onError: 'alert(2)'}}
+```
+
+Yields:
+
+```html
+<img src="missing" onerror="alert(2)">
+```
+
+The following example shows the default handling of embedded HTML:
+
+```markdown
+# Hello
+
+<script>alert(3)</script>
+```
+
+Yields:
+
+```html
+<h1>Hello</h1>
+```
+
+Passing `allowDangerousHTML: true` to `mdast-util-to-hast` is typically still
+not enough to run unsafe code:
+
+```html
+<h1>Hello</h1>
+&#x3C;script>alert(3)&#x3C;/script>
+```
+
+If `allowDangerousHTML: true` is also given to `hast-util-to-html` (or
+`rehype-stringify`), the unsafe code runs:
+
+```html
+<h1>Hello</h1>
+<script>alert(3)</script>
+```
+
+Use [`hast-util-santize`][sanitize] to make the hast tree safe.
+
 ## Related
@@ -300,2 +369,4 @@
 
+[sanitize]: https://github.com/syntax-tree/hast-util-sanitize
+
 [remark-rehype]: https://github.com/remarkjs/remark-rehype
@@ -316,1 +387,3 @@
 [hchildren]: #hchildren
+
+[xss]: https://en.wikipedia.org/wiki/Cross-site_scripting

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

29226

increased by5.41%

Number of lines in readme file

387

increased by23.25%

No dependency changes