Update README.md

Author: yaronn

README.md

@@ -132,11 +132,20 @@ Example:
 	sig.keyInfoProvider = new FileKeyInfo("client_public.pem")
 	sig.loadSignature(signature)
 	var res = sig.checkSignature(xml)
-	if (!res) console.log(sig.validationErrors)
+	if (!res) console.log(sig.validationErrors)	
 `````
 
 if the verification process fails `sig.validationErrors` will have the errors.
 
+In order to protect from some attacks we must check the content we want to use is the one that has been signed:
+`````javascript
+	var elem = select(doc, "/xpath_to_interesting_element");
+	var uri = sig.references[0].uri; // might not be 0 - depending on the document you verify
+        var id = (uri[0] === '#') ? uri.substring(1) : uri;
+        if (node.getAttribute('ID') != id && node.getAttribute('Id') != id)
+          throw new Error('the interesting element was not the one verified by the signature')
+`````
+
 Note:
 
 The xml-crypto api requires you to supply it separately the xml signature ("<Signature>...</Signature>", in loadSignature) and the signed xml (in checkSignature). The signed xml may or may not contain the signature in it, but you are still required to supply the signature separately.