Added callouts for security considerations for in app messaging (#8290)

Author: yuhengshs

src/fragments/lib-v1/in-app-messaging/overview/overview.mdx

@@ -1,5 +1,17 @@
 Amplify In-App Messaging helps you better engage your users with messages they can see while actively using your application. Send targeted messages to your defined user segments or even trigger contextual messages based on user behavior. Once you are up and running with In-App Messaging, you’ll be able to create messages that look native to your application and deliver them to your users all without additional code changes.
 
+## Security Considerations
+
+<Callout>
+
+When implementing in-app messaging, please be aware of two important security considerations.
+
+First, the endpointID generated by Amazon Pinpoint should be treated as confidential information. There is no built-in authorization mechanism based on endpointID, which means if an endpointID is compromised, other users could potentially access messages intended for different users. We recommend implementing appropriate security measures in your application to protect endpointID access.
+
+Second, messages received from Amazon Pinpoint campaigns are delivered without any content sanitization. AWS Amplify acts as a pass-through service and does not perform any content validation or sanitization on these messages. To ensure application security, you should always sanitize message content before rendering it in your application to prevent potential security vulnerabilities such as cross-site scripting (XSS) attacks.
+
+</Callout>
+
 The different types of messages that can be shown to users are:
 
 - **Top Banner** – a message that appears as a banner at the top of the page.

src/fragments/lib/in-app-messaging/overview/overview.mdx

@@ -1,5 +1,17 @@
 Amplify In-App Messaging helps you better engage your users with messages they can see while actively using your application. Send targeted messages to your defined user segments or even trigger contextual messages based on user behavior. Once you are up and running with In-App Messaging, you’ll be able to create messages that look native to your application and deliver them to your users all without additional code changes.
 
+## Security Considerations
+
+<Callout>
+
+When implementing in-app messaging, please be aware of two important security considerations.
+
+First, the endpointID generated by Amazon Pinpoint should be treated as confidential information. There is no built-in authorization mechanism based on endpointID, which means if an endpointID is compromised, other users could potentially access messages intended for different users. We recommend implementing appropriate security measures in your application to protect endpointID access.
+
+Second, messages received from Amazon Pinpoint campaigns are delivered without any content sanitization. AWS Amplify acts as a pass-through service and does not perform any content validation or sanitization on these messages. To ensure application security, you should always sanitize message content before rendering it in your application to prevent potential security vulnerabilities such as cross-site scripting (XSS) attacks.
+
+</Callout>
+
 The different types of messages that can be shown to users are:
 
 - **Top Banner** – a message that appears as a banner at the top of the page.

src/pages/[platform]/build-a-backend/add-aws-services/in-app-messaging/set-up-in-app-messaging/index.mdx

@@ -31,6 +31,18 @@ A campaign is a messaging initiative that engages a specific audience segment. A
 
 The following is an example utilizing the AWS CDK to create the In-App Messaging resource powered by [Amazon Pinpoint](https://aws.amazon.com/pinpoint/). Note: there are no official hand-written (L2) constructs for this service yet.
 
+## Security Considerations
+
+<Callout>
+
+When implementing in-app messaging, please be aware of two important security considerations.
+
+First, the endpointID generated by Amazon Pinpoint should be treated as confidential information. There is no built-in authorization mechanism based on endpointID, which means if an endpointID is compromised, other users could potentially access messages intended for different users. We recommend implementing appropriate security measures in your application to protect endpointID access.
+
+Second, messages received from Amazon Pinpoint campaigns are delivered without any content sanitization. AWS Amplify acts as a pass-through service and does not perform any content validation or sanitization on these messages. To ensure application security, you should always sanitize message content before rendering it in your application to prevent potential security vulnerabilities such as cross-site scripting (XSS) attacks.
+
+</Callout>
+
 <Callout informational>
 
 **Note:** Campaign start time must be at least 15 minutes in future. In-app messages can only be synced to local device once the campaign becomes active (Status should be "In Progress" in the campaigns screen of the Pinpoint console).