Add notes on security

wooorm · wooorm · commit b6840824f38a · 2019-07-17T11:39:09.000+02:00
diff --git a/package.json b/package.json
@@ -24,7 +24,7 @@
     "hast-util-is-element": "^1.0.0",
     "hast-util-whitespace": "^1.0.0",
     "html-void-elements": "^1.0.0",
-    "property-information": "^5.0.0",
+    "property-information": "^5.2.0",
     "space-separated-tokens": "^1.0.0",
     "stringify-entities": "^2.0.0",
     "unist-util-is": "^3.0.0",
diff --git a/readme.md b/readme.md
@@ -167,6 +167,12 @@ Allow `raw` nodes and insert them as raw HTML.
 When falsey, encodes `raw` nodes (`boolean`, default: `false`).
 **Note**: Only set this if you completely trust the content.
 
+## Security
+
+Use of `hast-util-to-html` can open you up to a
+[cross-site scripting (XSS)][xss] attack if the hast tree is unsafe.
+Use [`hast-util-santize`][sanitize] to make the hast tree safe.
+
 ## Related
 
 *   [`hast-util-sanitize`][hast-util-sanitize]
@@ -241,3 +247,7 @@ abide by its terms.
 [hast]: https://github.com/syntax-tree/hast
 
 [element]: https://github.com/syntax-tree/hast#element
+
+[xss]: https://en.wikipedia.org/wiki/Cross-site_scripting
+
+[sanitize]: https://github.com/syntax-tree/hast-util-sanitize
diff --git a/test/index.js b/test/index.js
@@ -13,4 +13,5 @@ require('./omission')
 require('./omission-opening')
 require('./omission-closing')
 require('./svg')
+require('./security')
 /* eslint-enable import/no-unassigned-import */
diff --git a/test/security.js b/test/security.js
@@ -0,0 +1,34 @@
+'use strict'
+
+var test = require('tape')
+var h = require('hastscript')
+var u = require('unist-builder')
+var to = require('..')
+
+test('security', function(t) {
+  t.equal(
+    to(u('root', [u('comment', '--><script>alert(1)</script><!--')])),
+    '<!----><script>alert(1)</script><!---->',
+    'comments can break out of their context (unsafe)'
+  )
+
+  t.equal(
+    to(u('root', [h('script', 'alert(1)')])),
+    '<script>alert(1)</script>',
+    'scripts render (unsafe)'
+  )
+
+  t.equal(
+    to(h('img', {src: 'x', onError: 'alert(1)'})),
+    '<img src="x" onerror="alert(1)">',
+    'event attributes render (unsafe)'
+  )
+
+  t.equal(
+    to(u('root', u('text', '<script>alert(1)</script>'))),
+    '&#x3C;script>alert(1)&#x3C;/script>',
+    'texts are encoded (safe)'
+  )
+
+  t.end()
+})
