mdast-util-to-hast
Advanced tools
Comparing version 6.0.1 to 6.0.2
@@ -9,3 +9,3 @@ 'use strict' | ||
var footnoteOrder = h.footnoteOrder | ||
var identifier = node.identifier | ||
var identifier = String(node.identifier) | ||
@@ -12,0 +12,0 @@ if (footnoteOrder.indexOf(identifier) === -1) { |
@@ -88,3 +88,3 @@ 'use strict' | ||
function onfootnotedefinition(definition) { | ||
var id = definition.identifier.toUpperCase() | ||
var id = String(definition.identifier).toUpperCase() | ||
@@ -91,0 +91,0 @@ // Mimick CM behavior of link definitions. |
{ | ||
"name": "mdast-util-to-hast", | ||
"version": "6.0.1", | ||
"version": "6.0.2", | ||
"description": "Transform mdast to hast", | ||
@@ -5,0 +5,0 @@ "license": "MIT", |
@@ -208,2 +208,71 @@ # mdast-util-to-hast | ||
## Security | ||
Use of `mdast-util-to-hast` can open you up to a | ||
[cross-site scripting (XSS)][xss] attack. | ||
Embedded hast properties (`hName`, `hProperties`, `hChildren`), custom handlers, | ||
and the `allowDangerousHTML` option all provide openings. | ||
The following example shows how a script is injected where a benign code block | ||
is expected with embedded hast properties: | ||
```js | ||
var code = {type: 'code', value: 'alert(1)'} | ||
code.data = {hName: 'script'} | ||
``` | ||
Yields: | ||
```html | ||
<script>alert(1)</script> | ||
``` | ||
The following example shows how an image is changed to fail loading and | ||
therefore run code in a browser. | ||
```js | ||
var image = {type: 'image', url: 'existing.png'} | ||
image.data = {hProperties: {src: 'missing', onError: 'alert(2)'}} | ||
``` | ||
Yields: | ||
```html | ||
<img src="missing" onerror="alert(2)"> | ||
``` | ||
The following example shows the default handling of embedded HTML: | ||
```markdown | ||
# Hello | ||
<script>alert(3)</script> | ||
``` | ||
Yields: | ||
```html | ||
<h1>Hello</h1> | ||
``` | ||
Passing `allowDangerousHTML: true` to `mdast-util-to-hast` is typically still | ||
not enough to run unsafe code: | ||
```html | ||
<h1>Hello</h1> | ||
<script>alert(3)</script> | ||
``` | ||
If `allowDangerousHTML: true` is also given to `hast-util-to-html` (or | ||
`rehype-stringify`), the unsafe code runs: | ||
```html | ||
<h1>Hello</h1> | ||
<script>alert(3)</script> | ||
``` | ||
Use [`hast-util-santize`][sanitize] to make the hast tree safe. | ||
## Related | ||
@@ -300,2 +369,4 @@ | ||
[sanitize]: https://github.com/syntax-tree/hast-util-sanitize | ||
[remark-rehype]: https://github.com/remarkjs/remark-rehype | ||
@@ -316,1 +387,3 @@ | ||
[hchildren]: #hchildren | ||
[xss]: https://en.wikipedia.org/wiki/Cross-site_scripting |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
29226
387