Talk about client-side attacks

author: Xavier Mendez <jmendeth@gmail.com> 2014-04-07 17:20:12 +0200
committer: Xavier Mendez <jmendeth@gmail.com> 2014-04-07 17:20:12 +0200
commit: 238c4d57cce10d33b05cf52a91fc62a09f31ffbb (patch)
tree: a7ea96208fdea71093e69f96ba61b3e91a9e7dec
parent: 4ad239da2863afdb6e236cd4df436fd03905babd (diff)
download: rust-hoedown-238c4d57cce10d33b05cf52a91fc62a09f31ffbb.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/README.md b/README.md
index 37b451f..fe40f8b 100644
--- a/README.md
+++ b/README.md
@@ -32,11 +32,15 @@ Features
 
 	`Hoedown` has been extensively security audited, and includes protection against
 	all possible DOS attacks (stack overflows, out of memory situations, malformed
-	Markdown syntax...) and against client attacks through malicious embedded HTML.
+	Markdown syntax...).
 
 	We've worked very hard to make `Hoedown` never crash or run out of memory
 	under *any* input.
 
+	**Warning**: `Hoedown` doesn't validate or post-process the HTML in Markdown documents.
+	Unless you use `HTML_ESCAPE` or `HTML_SKIP`, you should strongly consider using a
+	good post-processor in conjunction with Hoedown to prevent client-side attacks.
+
 *	**Customizable renderers**
 
 	`Hoedown` is not stuck with XHTML output: the Markdown parser of the library
author	Xavier Mendez <jmendeth@gmail.com>	2014-04-07 17:20:12 +0200
committer	Xavier Mendez <jmendeth@gmail.com>	2014-04-07 17:20:12 +0200
commit	238c4d57cce10d33b05cf52a91fc62a09f31ffbb (patch)
tree	a7ea96208fdea71093e69f96ba61b3e91a9e7dec
parent	4ad239da2863afdb6e236cd4df436fd03905babd (diff)
download	rust-hoedown-238c4d57cce10d33b05cf52a91fc62a09f31ffbb.tar.gz