From 4cee48b3ea754a28ef325b0ebc74ebe82dcfffd5 Mon Sep 17 00:00:00 2001
From: smcv <smcv@web>
Date: Tue, 22 Mar 2016 02:45:03 -0400
Subject: [PATCH] briefly describe XSS issue

---
 doc/plugins/contrib/remark.mdwn | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/doc/plugins/contrib/remark.mdwn b/doc/plugins/contrib/remark.mdwn
index 20f5b7d7e..8c178321f 100644
--- a/doc/plugins/contrib/remark.mdwn
+++ b/doc/plugins/contrib/remark.mdwn
@@ -21,10 +21,11 @@ not elegantly). Clicking through to the slides works right, of course.
 
 See [[Discussion#inline]].
 
-## Concern: safety of web-editing
+## Problem: safety of web-editing
 
-Even though `remarkpage.tmpl` has no action links, is it still possible
-for someone to trick their way into web-editing a slide deck? And if
-they do, is that dangerous?
+This plugin is not currently safe for wikis where `.remark` pages can be
+edited by untrusted users; the [[plugins/htmlscrubber]] is unlikely to be
+able to prevent cross-site scripting in this plugin. Make sure only trusted
+(administrative) users can create or edit `.remark` pages.
 
 See [[Discussion#editing]].
-- 
2.39.5