From 2794a0c7b39d33fa09a8467a9fba87c35fec6d76 Mon Sep 17 00:00:00 2001
From: John MacFarlane <fiddlosopher@gmail.com>
Date: Fri, 24 Oct 2014 12:02:46 -0700
Subject: README:  Added note on protecting vs XSS attacks.

Closes #61.
---
 README.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'README.md')

diff --git a/README.md b/README.md
index fe37966..a4b0817 100644
--- a/README.md
+++ b/README.md
@@ -30,7 +30,13 @@ will start this.)
 
 [Try it now!](http://jgm.github.io/stmd/js/)
 
-[The spec] contains over 400 embedded examples which serve as conformance
+Note that neither implementation attempts to sanitize link attributes or
+raw HTML.  If you use these libraries in applications that accept
+untrusted user input, you must run the output through an HTML
+sanitizer to protect against
+[XSS attacks](http://en.wikipedia.org/wiki/Cross-site_scripting).
+
+[The spec] contains over 450 embedded examples which serve as conformance
 tests.  To run the tests for `stmd`, do `make test`.  To run them for
 another Markdown program, say `myprog`, do `make test PROG=myprog`.  To
 run the tests for `stmd.js`, do `make testjs`.
-- 
cgit v1.2.3