Add notes on security

Author: wooorm

readme.md

@@ -52,6 +52,11 @@ Labelable nodes have a `tagName` set to `button`, `keygen`,
 `meter`, `output`, `progress`, `select`, `textarea`, and `input`
 (excluding `[type=hidden]`).
 
+## Security
+
+`hast-util-labelable` does not change the syntax tree so there are no openings
+for [cross-site scripting (XSS)][xss] attacks.
+
 ## Contribute
 
 See [`contributing.md` in `syntax-tree/.github`][contributing] for ways to get
@@ -113,3 +118,5 @@ abide by its terms.
 [node]: https://github.com/syntax-tree/hast#nodes
 
 [element]: https://github.com/syntax-tree/hast#element
+
+[xss]: https://en.wikipedia.org/wiki/Cross-site_scripting