From 9978cecea2b68cc69d458a03112b7597d1fc2e4c Mon Sep 17 00:00:00 2001
From: Mario Heiderich <mario@cure53.de>
Date: Tue, 25 Jun 2024 15:17:11 +0200
Subject: [PATCH] docs: Added better security warning about SAFE_FOR_XML to
 README

---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index 7ca20db2e..6bfe90fba 100644
--- a/README.md
+++ b/README.md
@@ -181,6 +181,9 @@ const clean = DOMPurify.sanitize(dirty, {SAFE_FOR_TEMPLATES: true});
 
 
 // change how e.g. comments containing risky HTML characters are treated.
+// be very careful, this setting should only be set to `false` if you really only handle 
+// HTML and nothing else, no SVG, MathML or the like. 
+// Otherwise, changing from `true` to `false` will lead to XSS in this or some other way.
 const clean = DOMPurify.sanitize(dirty, {SAFE_FOR_XML: false});
 ```