From 3ca83a79bf6fcd019ab53e1b10a83663c6b3a34d Mon Sep 17 00:00:00 2001
From: Steve Klabnik <steve@steveklabnik.com>
Date: Thu, 16 Apr 2015 15:43:56 -0400
Subject: [PATCH] Make note of possible XSS in Rustdoc

Fixes #24160
---
 src/doc/trpl/documentation.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/doc/trpl/documentation.md b/src/doc/trpl/documentation.md
index 06071a8f15fa..9c56ab11dbcc 100644
--- a/src/doc/trpl/documentation.md
+++ b/src/doc/trpl/documentation.md
@@ -560,3 +560,13 @@ This sets a few different options, with a logo, favicon, and a root URL.
 - `--html-before-content FILE`: includes the contents of FILE directly after
   `<body>`, before the rendered content (including the search bar).
 - `--html-after-content FILE`: includes the contents of FILE after all the rendered content.
+
+## Security note
+
+The Markdown in documentation comments is placed without processing into
+the final webpage. Be careful with literal HTML:
+
+```rust
+/// <script>alert(document.cookie)</script>
+# fn foo() {}
+```