From cdab8fa44dce6af39ccb0c90839c3cab0a24bca4 Mon Sep 17 00:00:00 2001
From: Titus Wormer <tituswormer@gmail.com>
Date: Wed, 12 Feb 2025 16:52:25 +0100
Subject: [PATCH] Add paragraph on security

Closes GH-1010.
---
 packages/remark-cli/readme.md       | 24 +++---------------------
 packages/remark-parse/readme.md     | 23 +++--------------------
 packages/remark-stringify/readme.md | 12 +++---------
 packages/remark/readme.md           | 23 +++--------------------
 readme.md                           |  9 +++++++++
 5 files changed, 21 insertions(+), 70 deletions(-)

diff --git a/packages/remark-cli/readme.md b/packages/remark-cli/readme.md
index cf265742..af5449ee 100644
--- a/packages/remark-cli/readme.md
+++ b/packages/remark-cli/readme.md
@@ -302,19 +302,7 @@ compatible with Node.js 16.
 
 ## Security
 
-As markdown can be turned into HTML and improper use of HTML can open you up to
-[cross-site scripting (XSS)][wikipedia-xss] attacks,
-use of remark can be unsafe.
-When going to HTML,
-you will likely combine remark with **[rehype][github-rehype]**,
-in which case you should use
-[`rehype-sanitize`][github-rehype-sanitize].
-
-Use of remark plugins could also open you up to other attacks.
-Carefully assess each plugin and the risks involved in using them.
-
-For info on how to submit a report,
-see our [security policy][health-security].
+See [*§ Security* in `remarkjs/remark`][github-remark-security].
 
 ## Contribute
 
@@ -426,14 +414,12 @@ Support this effort and give back by sponsoring on [OpenCollective][]!
 
 [github-markdown-style-guide]: https://github.com/remarkjs/remark-lint/tree/main/packages/remark-preset-lint-markdown-style-guide
 
-[github-rehype]: https://github.com/rehypejs/rehype
-
-[github-rehype-sanitize]: https://github.com/rehypejs/rehype-sanitize
-
 [github-remark]: https://github.com/remarkjs/remark
 
 [github-remark-core]: https://github.com/remarkjs/remark/tree/main/packages/remark
 
+[github-remark-security]: https://github.com/remarkjs/remark#security
+
 [github-remark-toc]: https://github.com/remarkjs/remark-toc
 
 [github-unified-args]: https://github.com/unifiedjs/unified-args
@@ -448,12 +434,8 @@ Support this effort and give back by sponsoring on [OpenCollective][]!
 
 [health-contributing]: https://github.com/remarkjs/.github/blob/main/contributing.md
 
-[health-security]: https://github.com/remarkjs/.github/blob/main/security.md
-
 [health-support]: https://github.com/remarkjs/.github/blob/main/support.md
 
 [npm-install]: https://docs.npmjs.com/cli/install
 
 [opencollective]: https://opencollective.com/unified
-
-[wikipedia-xss]: https://en.wikipedia.org/wiki/Cross-site_scripting
diff --git a/packages/remark-parse/readme.md b/packages/remark-parse/readme.md
index 5dc220fc..024957a7 100644
--- a/packages/remark-parse/readme.md
+++ b/packages/remark-parse/readme.md
@@ -252,18 +252,7 @@ compatible with Node.js 16.
 
 ## Security
 
-As markdown can be turned into HTML and improper use of HTML can open you up to
-[cross-site scripting (XSS)][wikipedia-xss] attacks,
-use of remark can be unsafe.
-When going to HTML,
-you will combine remark with **[rehype][github-rehype]**,
-in which case you should use [`rehype-sanitize`][github-rehype-sanitize].
-
-Use of remark plugins could also open you up to other attacks.
-Carefully assess each plugin and the risks involved in using them.
-
-For info on how to submit a report,
-see our [security policy][health-security].
+See [*§ Security* in `remarkjs/remark`][github-remark-security].
 
 ## Contribute
 
@@ -387,10 +376,6 @@ Support this effort and give back by sponsoring on [OpenCollective][]!
 
 [github-micromark-extensions]: https://github.com/micromark/micromark#extensions
 
-[github-rehype]: https://github.com/rehypejs/rehype
-
-[github-rehype-sanitize]: https://github.com/rehypejs/rehype-sanitize
-
 [github-remark]: https://github.com/remarkjs/remark
 
 [github-remark-core]: https://github.com/remarkjs/remark/tree/main/packages/remark
@@ -409,6 +394,8 @@ Support this effort and give back by sponsoring on [OpenCollective][]!
 
 [github-remark-plugins]: https://github.com/remarkjs/remark#plugins
 
+[github-remark-security]: https://github.com/remarkjs/remark#security
+
 [github-remark-stringify]: https://github.com/remarkjs/remark/tree/main/packages/remark-stringify
 
 [github-unified]: https://github.com/unifiedjs/unified
@@ -419,8 +406,6 @@ Support this effort and give back by sponsoring on [OpenCollective][]!
 
 [health-contributing]: https://github.com/remarkjs/.github/blob/main/contributing.md
 
-[health-security]: https://github.com/remarkjs/.github/blob/main/security.md
-
 [health-support]: https://github.com/remarkjs/.github/blob/main/support.md
 
 [npm-install]: https://docs.npmjs.com/cli/install
@@ -428,5 +413,3 @@ Support this effort and give back by sponsoring on [OpenCollective][]!
 [opencollective]: https://opencollective.com/unified
 
 [typescript]: https://www.typescriptlang.org
-
-[wikipedia-xss]: https://en.wikipedia.org/wiki/Cross-site_scripting
diff --git a/packages/remark-stringify/readme.md b/packages/remark-stringify/readme.md
index 3d9d1eb7..de178af5 100644
--- a/packages/remark-stringify/readme.md
+++ b/packages/remark-stringify/readme.md
@@ -248,13 +248,7 @@ compatible with Node.js 16.
 
 ## Security
 
-Use of `remark-stringify` is safe.
-
-Use of remark plugins can open you up to attacks.
-Carefully assess each plugin and the risks involved in using them.
-
-For info on how to submit a report,
-see our [security policy][health-security].
+See [*§ Security* in `remarkjs/remark`][github-remark-security].
 
 ## Contribute
 
@@ -394,6 +388,8 @@ Support this effort and give back by sponsoring on [OpenCollective][]!
 
 [github-remark-plugins]: https://github.com/remarkjs/remark#plugins
 
+[github-remark-security]: https://github.com/remarkjs/remark#security
+
 [github-unified]: https://github.com/unifiedjs/unified
 
 [health]: https://github.com/remarkjs/.github
@@ -402,8 +398,6 @@ Support this effort and give back by sponsoring on [OpenCollective][]!
 
 [health-contributing]: https://github.com/remarkjs/.github/blob/main/contributing.md
 
-[health-security]: https://github.com/remarkjs/.github/blob/main/security.md
-
 [health-support]: https://github.com/remarkjs/.github/blob/main/support.md
 
 [npm-install]: https://docs.npmjs.com/cli/install
diff --git a/packages/remark/readme.md b/packages/remark/readme.md
index 0996bc69..666b1710 100644
--- a/packages/remark/readme.md
+++ b/packages/remark/readme.md
@@ -282,18 +282,7 @@ compatible with Node.js 16.
 
 ## Security
 
-As markdown can be turned into HTML and improper use of HTML can open you up to
-[cross-site scripting (XSS)][wikipedia-xss] attacks,
-use of remark can be unsafe.
-When going to HTML,
-you will combine remark with **[rehype][github-rehype]**,
-in which case you should use [`rehype-sanitize`][github-rehype-sanitize].
-
-Use of remark plugins could also open you up to other attacks.
-Carefully assess each plugin and the risks involved in using them.
-
-For info on how to submit a report,
-see our [security policy][health-security].
+See [*§ Security* in `remarkjs/remark`][github-remark-security].
 
 ## Contribute
 
@@ -411,16 +400,14 @@ Support this effort and give back by sponsoring on [OpenCollective][]!
 
 [github-mdast]: https://github.com/syntax-tree/mdast
 
-[github-rehype]: https://github.com/rehypejs/rehype
-
-[github-rehype-sanitize]: https://github.com/rehypejs/rehype-sanitize
-
 [github-remark]: https://github.com/remarkjs/remark
 
 [github-remark-cli]: https://github.com/remarkjs/remark/tree/main/packages/remark-cli
 
 [github-remark-parse]: https://github.com/remarkjs/remark/tree/main/packages/remark-parse
 
+[github-remark-security]: https://github.com/remarkjs/remark#security
+
 [github-remark-stringify]: https://github.com/remarkjs/remark/tree/main/packages/remark-stringify
 
 [github-unified]: https://github.com/unifiedjs/unified
@@ -431,8 +418,6 @@ Support this effort and give back by sponsoring on [OpenCollective][]!
 
 [health-contributing]: https://github.com/remarkjs/.github/blob/main/contributing.md
 
-[health-security]: https://github.com/remarkjs/.github/blob/main/security.md
-
 [health-support]: https://github.com/remarkjs/.github/blob/main/support.md
 
 [npm-install]: https://docs.npmjs.com/cli/install
@@ -440,5 +425,3 @@ Support this effort and give back by sponsoring on [OpenCollective][]!
 [opencollective]: https://opencollective.com/unified
 
 [typescript]: https://www.typescriptlang.org
-
-[wikipedia-xss]: https://en.wikipedia.org/wiki/Cross-site_scripting
diff --git a/readme.md b/readme.md
index eb51b57b..73cd4820 100644
--- a/readme.md
+++ b/readme.md
@@ -496,6 +496,15 @@ When going to HTML,
 you will combine remark with **[rehype][github-rehype]**,
 in which case you should use [`rehype-sanitize`][github-rehype-sanitize].
 
+Another security aspect is DDoS attacks.
+An attacker could cause a crash or slow down with big files.
+Crashes can also originate from smaller payloads,
+often when thousands of things (such as lists or links) are opened.
+It is wise to cap the accepted size of input
+(500kb can hold a big book)
+and to process content in a different thread or worker so that it can be
+stopped when needed.
+
 Use of remark plugins could also open you up to other attacks.
 Carefully assess each plugin and the risks involved in using them.