[Docs] Add warning about XSS

README.md

@@ -10,6 +10,20 @@
 
 Tiny, fast, efficient, feature rich Javascript library to detect links / URLs / Emails in text and convert them to clickable HTML anchor links.
 
+> **⚠️ Warning**
+>
+> Output is not guaranteed to be [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting)-safe. If you call `anchorme` on untrusted user input, make sure to properly sanitize the output immediately before rendering, using a well-tested library such as [DOMPurify](https://github.com/cure53/DOMPurify). For example:
+>
+> ```js
+> el.innerHTML = DOMPurify.sanitize(anchorme(userInput)); // ✅ safe, assuming DOMPurify is correctly configured for your use case and threat model
+> el.textContent = anchorme.list(userInput).map((x) => x.string).join(', '); // ✅ safe, as we're only setting text, not rendering HTML
+> el.innerHTML = anchorme(TRUSTED_CONTENT_FROM_CMS); // ✅ safe, as we trust the input
+>
+> el.innerHTML = anchorme(userInput); // 🚨 unsafe
+> el.innerHTML = anchorme(DOMPurify.sanitize(userInput)); // 🚨 unsafe, as sanitization must be performed on output, not input
+> el.innerHTML = anchorme.list(userInput).map((x) => x.string).join(', '); // 🚨 unsafe, as we're still setting innerHTML
+> ```
+
 ## Main features
 
 -   **Sensitivity**:

index.html

@@ -151,9 +151,7 @@ <h1 id="demo" class="page-header">
 							<div class="row">
 								<div class="col-md-6">
 									<textarea
-										onkeydown="refresh();"
-										onkeyup="refresh();"
-										onchange="refresh();"
+										oninput="refresh();"
 										id="input"
 										style="width: 100%; height: 1000px;"
 									>