README: Added note on protecting vs XSS attacks.

Closes #61.
author: John MacFarlane <fiddlosopher@gmail.com> 2014-10-24 12:02:46 -0700
committer: John MacFarlane <fiddlosopher@gmail.com> 2014-10-24 12:02:46 -0700
commit: 2794a0c7b39d33fa09a8467a9fba87c35fec6d76 (patch)
tree: 5dfdbe1cd3bb777c9987fd9700f4b901db151fa3 /README.md
parent: 4d9875ad71fbc67bcda1cc18c10c384606b44e31 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/README.md b/README.md
index fe37966..a4b0817 100644
--- a/README.md
+++ b/README.md
@@ -30,7 +30,13 @@ will start this.)
 
 [Try it now!](http://jgm.github.io/stmd/js/)
 
-[The spec] contains over 400 embedded examples which serve as conformance
+Note that neither implementation attempts to sanitize link attributes or
+raw HTML.  If you use these libraries in applications that accept
+untrusted user input, you must run the output through an HTML
+sanitizer to protect against
+[XSS attacks](http://en.wikipedia.org/wiki/Cross-site_scripting).
+
+[The spec] contains over 450 embedded examples which serve as conformance
 tests.  To run the tests for `stmd`, do `make test`.  To run them for
 another Markdown program, say `myprog`, do `make test PROG=myprog`.  To
 run the tests for `stmd.js`, do `make testjs`.
author	John MacFarlane <fiddlosopher@gmail.com>	2014-10-24 12:02:46 -0700
committer	John MacFarlane <fiddlosopher@gmail.com>	2014-10-24 12:02:46 -0700
commit	2794a0c7b39d33fa09a8467a9fba87c35fec6d76 (patch)
tree	5dfdbe1cd3bb777c9987fd9700f4b901db151fa3 /README.md
parent	4d9875ad71fbc67bcda1cc18c10c384606b44e31 (diff)