Update README.md

Author: Rich-Harris

README.md

@@ -84,10 +84,27 @@ const template = `
 This, along with the fact that `devalue` bails on functions and non-POJOs, stops attackers from executing arbitrary code. Strings generated by `devalue` can be safely deserialized with `eval` or `new Function`:
 
 ```js
-const value = eval('(' + str + ')');
+const value = (0,eval)('(' + str + ')');
 ```
 
 
+## Other security considerations
+
+While `devalue` prevents the XSS vulnerability shown above, meaning you can use it to send data from server to client, **you should not send user data from client to server** using the same method. Since it has to be evaluated, an attacker that successfully submitted data that bypassed `devalue` would have access to your system.
+
+When using `eval`, ensure that you call it *indirectly* so that the evaluated code doesn't have access to the surrounding scope:
+
+```js
+{
+  const sensitiveData = 'Setec Astronomy';
+  eval('sendToEvilServer(sensitiveData)'); // pwned :(
+  (0,eval)('sendToEvilServer(sensitiveData)'); // nice try, evildoer!
+}
+```
+
+Using `new Function(code)` is akin to using indirect eval.
+
+
 ## See also
 
 * [lave](https://github.com/jed/lave) by Jed Schmidt
@@ -98,4 +115,4 @@ const value = eval('(' + str + ')');
 
 ## License
 
-[LIL](LICENSE)
+[LIL](LICENSE)