Add notes on security

wooorm · wooorm · commit 3d726a43b644 · 2019-07-24T11:09:36.000+02:00
diff --git a/readme.md b/readme.md
@@ -171,6 +171,13 @@ For example, the following node:
 <i class="foo">bar</i>
 ```
 
+## Security
+
+Use of `remark-html` is *unsafe* by default and opens you up to a
+[cross-site scripting (XSS)][xss] attack.
+Pass `sanitize: true` to prevent attacks.
+Settings `sanitize` to anything else may be unsafe.
+
 ## Contribute
 
 See [`contributing.md`][contributing] in [`remarkjs/.github`][health] for ways
@@ -256,3 +263,5 @@ abide by its terms.
 [commonmark]: https://commonmark.org
 
 [integrations]: #integrations
+
+[xss]: https://en.wikipedia.org/wiki/Cross-site_scripting
