Jump To
Note about Cross-Site Scripting
In particular, take care when using the linkifyHtml
function.
All linkify functions that accept strings, with the exception of linkifyHtml
,
assume that their input is plain-text. Since the functions output HTML, they
will convert HTML entities in these strings to encoded characters.
For example
linkifyStr('<script src="https://evil.h4ckz.example.com/hack.js"></script>');
outputs
'<script src="<a href="https://evil.h4ckz.example.com/hack.js">https://evil.h4ckz.example.com/hack.js</a>"></script>'
a harmless link to the the harmful JavaScript (provided no one downloads and runs it).
The linkifyHtml
interface will NOT automatically do this!! It will parse
your input as HTML and output unescaped HTML. It is up to the programmer to
strip out unwanted HTML content before rendering it to a webpage.
Other interfaces that work with the DOM, including linkify-element
,
linkify-jquery
, and linkify-react
, only apply to text-nodes. By design, they
will not generate any non-anchor tags that are not already in the DOM.