We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
If you discover a security vulnerability in MarkdownToAttributedString, please report it responsibly:
- Do NOT create a public GitHub issue
- Email the maintainer directly: GitHub Profile
- Include detailed information about the vulnerability
- Provide steps to reproduce the issue
- Wait for a response before public disclosure
When reporting a security vulnerability, please include:
- Description: Clear description of the vulnerability
- Impact: Potential impact of the vulnerability
- Steps to reproduce: Detailed steps to reproduce the issue
- Environment: OS version, Swift version, Xcode version
- Code sample: Minimal code that demonstrates the issue
- Proposed fix: If you have a suggested fix
- Initial response: Within 48 hours
- Status update: Within 1 week
- Fix release: Within 30 days (for critical issues)
- Report received and acknowledged
- Investigation and verification
- Fix development and testing
- Release of patched version
- Public disclosure (if appropriate)
MarkdownToAttributedString processes user input and should be used with caution:
- Validate input before processing
- Sanitize content from untrusted sources
- Limit input size to prevent memory issues
- Handle errors gracefully
The library is designed with memory safety in mind:
- Automatic memory management with Swift's ARC
- No manual memory allocation
- Safe string handling
- Bounds checking for array access
Consider platform-specific security features:
- iOS: App Sandbox restrictions
- macOS: File system permissions
- tvOS: Limited file system access
- watchOS: Memory constraints
// Validate input before processing
func safeMarkdownConversion(_ input: String) -> NSAttributedString? {
// Check input length
guard input.count < 10000 else { return nil }
// Check for malicious content
guard !input.contains("<script>") else { return nil }
// Process safely
return input.toAttributedString()
}do {
let attributedString = markdown.toAttributedString()
// Use the result safely
} catch {
// Handle errors gracefully
print("Conversion failed: \(error)")
}// Limit resource usage
func processLargeDocument(_ markdown: String) {
// Process in chunks for large documents
let chunks = markdown.split(separator: "\n")
for chunk in chunks {
let result = String(chunk).toAttributedString()
// Process chunk
}
}No security vulnerabilities are currently known in MarkdownToAttributedString.
None reported to date.
Security updates will be released as needed:
- Critical issues: Immediate patch release
- High severity: Patch release within 1 week
- Medium severity: Next minor release
- Low severity: Next major release
For security-related questions or reports:
- Email: GitHub Profile
- GitHub: Security Advisories
- Issues: GitHub Issues
We thank the security community for responsible disclosure and helping keep MarkdownToAttributedString secure.
This security policy is part of the MarkdownToAttributedString project and is subject to the same MIT License.