diff --git a/README.md b/README.md index 5a4d3f7..e009e8c 100644 --- a/README.md +++ b/README.md @@ -151,8 +151,35 @@ Readability scans and scores HTML elements based on the number of words, links a ## Security +Readability is a content **extractor**, not a sanitizer. The returned +`Article::$content` (and `Article::$contentElement`) is HTML pulled from the +source page — it is *not* safe to render as-is when the input is untrusted. + If you're going to use Readability with untrusted input (whether in HTML or DOM form), we **strongly** recommend you use a sanitizer library like [HTML Purifier](https://github.com/ezyang/htmlpurifier) or [Symfony's HtmlSanitizer](https://symfony.com/doc/current/html_sanitizer.html) to avoid script injection when you use the output of Readability. We would also recommend using [CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) to add further defense-in-depth restrictions to what you allow the resulting content to do. The Firefox integration of reader mode uses both of these techniques itself. Sanitizing unsafe content out of the input is explicitly not something we aim to do as part of Readability itself - there are other good sanitizer libraries out there, use them! +Readability removes `