From 234f4202792bc398d2141873c002b409c699dd91 Mon Sep 17 00:00:00 2001
From: Gijs <gijskruitbosch@gmail.com>
Date: Mon, 15 Jul 2019 14:40:34 +0100
Subject: [PATCH] Clarify security implications of using readability

---
 README.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/README.md b/README.md
index 72a927e..6db3c92 100644
--- a/README.md
+++ b/README.md
@@ -63,6 +63,18 @@ process (like loading and showing the user a webpage) with the complex logic in
 Readability. Improvements to its logic (while not deteriorating its performance) are very
 welcome.
 
+## Security
+
+If you're going to use Readability with untrusted input (whether in HTML or DOM form), we
+**strongly** recommend you use a sanitizer library like
+[DOMPurify](https://github.com/cure53/DOMPurify) to avoid script injection when you use
+the output of Readability. We would also recommend using
+[CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) to add further defense-in-depth
+restrictions to what you allow the resulting content to do. The Firefox integration of
+reader mode uses both of these techniques itself. Sanitizing unsafe content out of the input
+is explicitly not something we aim to do as part of Readability itself - there are other
+good sanitizer libraries out there, use them!
+
 ## Contributing
 
 [![Build Status](https://travis-ci.org/mozilla/readability.svg?branch=master)](https://travis-ci.org/mozilla/readability)