From 5148e9011c2b728077323855e1445404d8938cdd Mon Sep 17 00:00:00 2001
From: Steve Klabnik <steve@steveklabnik.com>
Date: Thu, 16 Apr 2015 15:43:56 -0400
Subject: [PATCH] Make note of possible XSS in Rustdoc

Fixes #24160
---
 src/doc/trpl/documentation.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/doc/trpl/documentation.md b/src/doc/trpl/documentation.md
index 06071a8f15fa4..9c5e9c8c6743b 100644
--- a/src/doc/trpl/documentation.md
+++ b/src/doc/trpl/documentation.md
@@ -560,3 +560,12 @@ This sets a few different options, with a logo, favicon, and a root URL.
 - `--html-before-content FILE`: includes the contents of FILE directly after
   `<body>`, before the rendered content (including the search bar).
 - `--html-after-content FILE`: includes the contents of FILE after all the rendered content.
+
+## Security note
+
+The Markdown in documentation comments is placed without processing into
+the final webpage. Be careful with literal HTML:
+
+```rust
+/// <script>alert(document.cookie)</script>
+```