Confusing XXS documentation

[Torsteinws]

The XXS documentation says that "DOM interfaces are generally safe to use".

What does generally mean here? Is it safe to use or not? If not, it would be nice if the documentation could explicitly clarify the potential risks and attack vectors when using linkifyjs. Like, What are the potential gotchas? What should I be aware of? What do you recommend?

As someone who is paranoid about security, the wording provokes a fear in me that deters me from using the library.

[nfrasser]

Hi @Torsteinws, I'm not a web security expert, so I don't make any promises about how "safe" Linkify is to use. The Cross-site scripting page is meant to call out the one obvious potential danger of converting user-provided text input to HTML and outputting it to the page without validation. This is largely left as the end programmer's responsibility, not Linkify's (as stated in the notice at the top).

"Generally" on that page refers to Linkify use cases that, as far as I know, will NOT lead to an XSS attack. However, this does not mean that use case is always safe. For example, a hacker may provide a valid but malicious URL that will hijack your computer if you click it.

I can write something to that effect on that page. Any other suggestions are welcome!

[Sergeant61]

In my research on the subject, I found the https://www.npmjs.com/package/sanitize-html package.