Version | Supported | Remark |
---|---|---|
7.0.x | ✅ | |
< 7.0 | ❌ | jsdom |
Turndown input is
- either a string that is passed to a DOM parser
- or an
HTMLElement
referring to an already built DOM tree
When a string input is passed, the DOM parser is picked as follows.
- For web browser usage, the corresponding native web parser is used, which is typically
DOMImplementation
. - For standalone usage, domino parser is used.
Please note that a malicious string input can cause undesired effects within the DOM parser even before Turndown code starts processing the document itself. These effects especially include script execution and downloading external resources.
For critical applications with untrusted inputs, you should consider either cleaning up the input with a dedicated HTML sanitizer library or using an alternate DOM parser that better suits your security needs.
In particular, Turndown version 6 and below used jsdom as the
standalone DOM parser. As jsdom
is a fully featured DOM parser with script execution support,
it imposes an inherent security risk. We recommend upgrading to version 7, which uses
domino that doesn't even support executing scripts nor
downloading external resources.
If you've found a vulnerability, please report it to [email protected] and we'll get back to you.