From ecbe5a3890cbc2c041ee6255b5e383f99299ff40 Mon Sep 17 00:00:00 2001 From: Greg Weber Date: Sun, 30 Jun 2013 10:19:20 -0700 Subject: [PATCH] add intro note about comprehensiveness --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d4b91eb..11f6953 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,9 @@ # Summary xss-sanitize allows you to accept html from untrusted sources by first filtering it through a white list. -For example, this allows a web application to safely use a rich text editor or allow html in comments. +The white list filtering is fairly comprehensive, including support for css in style attributes, but there are limitations enumerated below. + +Sanitizing allows a web application to safely use a rich text editor, allow html in comments, or otherwise display untrusted HTML. If you trust the HTML (you wrote it), you do not need to use this. If you don't trust the html you probably also do not trust that the tags are balanced and should use the sanitizeBalance function.