Suggestion from Synk

Document that mustache.java is unsafe for use with untrusted templates by default.
spullara · May 10, 2021 · 28d8a4a · 28d8a4a
1 parent d11c5a9
commit 28d8a4a
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -2,6 +2,9 @@ Mustache.java [![Build Status](https://travis-ci.org/spullara/mustache.java.svg?
 [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fspullara%2Fmustache.java.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Fspullara%2Fmustache.java?ref=badge_shield)
 =============
 
+Mustache.java is not designed to allow untrusted parties to provide templates. It may be possible to lock it down to provide that safely,
+but by default it is UNSAFE.
+
 As of release 0.9.0 mustache.java is now Java 8 only. For Java 6/7 support use 0.8.x.
 
 There are no external dependencies and the compiler library is ~100k.