The RTF toolkit includes comprehensive security protections:

• Group depth limits: Maximum 100 nested groups
• Document size limits: Maximum 50MB
• Text chunk limits: Maximum 1MB per text run
• Table size limits: Maximum 1000 fonts/colors/authors

• HTML escaping: All user content properly escaped
• CSS sanitization: Font names and color values validated
• Attribute escaping: Author names and metadata safely rendered

• Type checking at all entry points
• Bounds checking for numeric values
• Safe integer validation for parameters

DO NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via email to: jonah.schulte@gmail.com

Please include:

1. Description of the vulnerability
2. Steps to reproduce with example RTF input if possible
3. Impact assessment (what could an attacker do?)
4. Suggested fix (if you have one)
5. Your contact information for follow-up

• Initial response: Within 48 hours
• Status update: Within 7 days
• Fix timeline: Depends on severity
  • CRITICAL: 1-3 days
  • HIGH: 1-2 weeks
  • MEDIUM/LOW: Next minor release

• We follow coordinated disclosure
• 90-day disclosure deadline from report
• We'll work with you on public disclosure timing
• Credit will be given to reporters (unless you prefer anonymity)

When using the library in a server environment:

import { parseRTF } from '@jonahschulte/rtf-toolkit';

// 1. Implement rate limiting
app.post('/api/parse-rtf', rateLimit({ max: 10 }), async (req, res) => {
  try {
    // 2. Validate file size before parsing
    if (req.body.rtf.length > 10 * 1024 * 1024) { // 10MB
      return res.status(413).send('File too large');
    }

    // 3. Use timeouts to prevent long-running parses
    const doc = await Promise.race([
      parseRTF(req.body.rtf),
      new Promise((_, reject) =>
        setTimeout(() => reject(new Error('Timeout')), 5000)
      )
    ]);

    res.json({ success: true, doc });
  } catch (error) {
    // 4. Don't expose internal errors to clients
    console.error('Parse error:', error);
    res.status(400).send('Invalid RTF document');
  }
});

When rendering HTML in the browser:

import { toHTML } from '@jonahschulte/rtf-toolkit';

// 1. Use Content Security Policy
// Add to your HTML:
// <meta http-equiv="Content-Security-Policy"
//       content="default-src 'none'; style-src 'unsafe-inline';">

// 2. Sanitize before inserting into DOM (defense in depth)
const html = toHTML(doc);
element.innerHTML = html; // Already escaped, but consider DOMPurify as well

• Maximum document size: 50MB (configurable in source)
• Maximum nesting depth: 100 levels (configurable in source)
• Maximum table sizes: 1000 entries each (configurable in source)

Documents exceeding these limits will throw errors. This is intentional security protection.

Run the security test suite:

npm test -- tests/security

Tests include:

• DoS attack vectors (nested groups, huge files)
• XSS attack vectors (HTML/CSS injection)
• Input validation edge cases

Security researchers who have helped improve the project:

• Your name could be here!

• OWASP Top 10
• RTF Specification
• Security Audit Report
• Security Fixes Guide

Last Updated: 2025-12-30