anchorme.js
anchorme.js copied to clipboard
alexcorvi
Mutation XSS + general sanitization
There are character sequences that would be understood as benign by most sanitisers that when they are passed through anchorme result in javascript execution. I'll omit examples for obvious reasons, please reach out if you would like to know more.
Add to that based on a small research it is obvious that users of the library do not know that the output of anchore me should not be trusted to be free of potentially malicious javascript. I think there is an argument to try to do sanitization (or at least make it a default switchable option), because that is how people often use the library and it is possibly beneficial to be safe by default. That said even if this was not the preferred option the fact that people are often using it in an unsafe way shows that it would be useful to have at least some sort of disclaimer that clarifies the security model of anchorme.
