Add notes on security

wooorm · wooorm · commit 3d07e2aeca91 · 2019-07-16T11:38:35.000+02:00
diff --git a/readme.md b/readme.md
@@ -200,6 +200,12 @@ Yields:
 Some text with <svg viewBox="0 0 1 1" width="1" height="1"><rect fill="black" x="0" y="0" width="1" height="1"></rect></svg> a graphic… Wait is that a dead pixel?
 ```
 
+## Security
+
+Use of `hast-util-to-mdast` can open you up to a
+[cross-site scripting (XSS)][xss] attack if the hast tree is unsafe.
+Use [`hast-util-santize`][sanitize] to make the hast tree safe.
+
 ## Related
 
 *   [`hast-util-to-nlcst`](https://github.com/syntax-tree/hast-util-to-nlcst)
@@ -291,6 +297,10 @@ abide by its terms.
 
 [rehype-remark]: https://github.com/rehypejs/rehype-remark
 
+[xss]: https://en.wikipedia.org/wiki/Cross-site_scripting
+
+[sanitize]: https://github.com/syntax-tree/hast-util-sanitize
+
 [handler]: #optionshandlers
 
 [handlers]: https://github.com/syntax-tree/hast-util-to-mdast/tree/master/lib/handlers
