Sanitize the text or document the XSS vector

[rubenlg]

Since the text being added to the HTMLText object is HTML, that opens the door for XSS vulnerabilities if, for example, an application takes the formatted text from user input or an external resource.

Here is an example:

const unsafeString = `Hello <img onerror="console.log('XSS')" src="-"/> world!`;
const text = new HTMLText(unsafeString);

One option is to use an HTML sanitization library. Another option is to document clearly that when using HTMLText, the developer is responsible for sanitizing the text being passed in to prevent XSS vulnerabilities.

[bigtimebuddy]

Thanks for letting me know. You're right.

Added a README note about it under usage. Maybe this project should take on that responsibility, but for now a note will suffice.