This page is outdated
You are reading documentation for Linkify v2. Browse the latest v3+ documentation.
Jump To
Cross-Site Scripting
In particular, take care when using the linkifyHtml
function.
All linkify functions that accept strings, with the exception of linkifyHtml
,
assume that their input is plain-text. Since the functions output HTML, they
will convert HTML entities in these strings to encoded characters.
For example
linkifyStr('<script src="https://evil.h4ckz.example.com/hack.js"></script>');
will output
'<script src="<a href="https://evil.h4ckz.example.com/hack.js">https://evil.h4ckz.example.com/hack.js</a>"></script>'
a completely harmless link to the the harmful JavaScript (provided the user doesn’t download and run it).
The linkifyHtml
interface will not automatically do this. It will parse
your input as HTML and output unescaped HTML. It is up to you as a programmer
to strip out unwanted HTML content before showing it to the user.
Other interfaces that work with the DOM, including linkify-element
,
linkify-jquery
, and linkify-react
, only apply to text-nodes. By design, they
will not generate any non-anchor tags that are not already in the DOM.
Cases not supported (yet)
- Non-latin domain names
- Non-latin top-level domains
- Non-standard email characters delimited by
"
- Excaped
\@
inside email local-part. - Slash characters in email addresses
See Email address syntax on Wikipedia.