If you discover a security vulnerability in MetaOxide, please report it responsibly and do not disclose it publicly until a fix has been released.
- Do NOT open a public GitHub issue for security vulnerabilities
- Email: Send your report to
security@meta-oxide.dev - Include:
- Description of the vulnerability
- Steps to reproduce (if applicable)
- Affected versions (e.g., 0.1.0, 0.1.x)
- Potential impact
- Suggested fix (if you have one)
- Initial response: Within 24 hours
- Assessment & confirmation: Within 48 hours
- Fix development: Target 30 days for patch release
- Coordinated disclosure: We will work with you on timing and credit
| Version | Status | Security Updates |
|---|---|---|
| 0.1.x | Current | Yes |
| 0.0.x | End of Life | No |
Recommendation: Always use the latest version to ensure you have all security fixes.
When using MetaOxide:
-
Keep Dependencies Updated
- Regularly update MetaOxide and its dependencies
- Subscribe to security advisories
-
Validate Input
- Always validate and sanitize HTML input before extraction
- Be aware of potential XXE (XML External Entity) attacks in XML-based formats
- Handle edge cases in RDFa and microdata parsing
-
Use TLS for Data Transmission
- When transmitting extracted metadata over networks, use TLS/SSL
- Never send extracted data over unencrypted connections
-
Review Performance Guarantees
- MetaOxide extracts data from HTML as-is
- Malformed HTML may produce unexpected results
- Always validate extracted data before use in critical systems
-
Monitor Library Changes
- Review release notes for security-related changes
- Update regularly to get security patches
MetaOxide is a metadata extraction library, not an HTML validator or sanitizer:
- HTML Parsing: Uses fast parsing algorithms; does not validate HTML correctness
- Format Coverage: Extracts 13 common metadata formats; some edge cases may not be handled
- Data Accuracy: Extracted data is only as valid as the source HTML
- XXE Protection: While not typically an issue for HTML parsing, be cautious with RDFa/XML content
- XSLT/Script Injection: Does NOT execute scripts or stylesheets; treats them as data
- Memory-safe through Rust's ownership system
- No unsafe code in FFI boundary (checked)
- C-ABI interface properly validates string encoding
All bindings inherit memory safety from the Rust core:
- Python: No buffer overflows possible; uses PyO3 safe bindings
- Node.js: N-API provides safe JavaScript-Rust interaction
- Java: JNI bindings with proper exception handling
- C#: P/Invoke with safe type marshaling
- Go: cgo with Go's memory safety
- WASM: WebAssembly sandboxing provides isolation
MetaOxide minimizes external dependencies:
Core (Rust):
scraper- HTML parsing (actively maintained)serde_json- JSON parsing (widely trusted)- Minimal transitive dependencies
Bindings:
- Python: PyO3 (widely used, actively maintained)
- Node.js: neon-rs (Node.js recommended native binding framework)
- Java: Maven managed via pom.xml
- C#: .NET Framework (Microsoft maintained)
- Go: Standard library only
- WASM: Standard wasm-bindgen
All dependencies are regularly reviewed and updated.
No known security incidents have been reported for MetaOxide v0.1.0.
Please see CONTRIBUTING.md for how to responsibly report and contribute security fixes.
Last Updated: November 25, 2025
For more information, see:
- CONTRIBUTING.md - How to contribute
- CODE_OF_CONDUCT.md - Community standards