In particular, take care when using the
All linkify functions that accept strings, with the exception of
assume that their input is plain-text. Since the functions output HTML, they
will convert HTML entities in these strings to encoded characters.
'<script src="<a href="https://evil.h4ckz.example.com/hack.js">https://evil.h4ckz.example.com/hack.js</a>"></script>'
linkifyHtml interface will not automatically do this. It will parse
your input as HTML and output unescaped HTML. It is up to you as a programmer
to strip out unwanted HTML content before showing it to the user.
Other interfaces that work with the DOM, including
linkify-react, only apply to text-nodes. By design, they
will not generate any non-anchor tags that are not already in the DOM.
Cases not supported (yet)
- Non-latin domain names
- Non-latin top-level domains
- Non-standard email characters delimited by
\@inside email local-part.
- Slash characters in email addresses
See Email address syntax on Wikipedia.