Add notes on security

readme.md

@@ -102,6 +102,14 @@ By default, the following is used:
 Extra properties to set on the link (`Object?`).
 Defaults to `{ariaHidden: true}` when in `'prepend'` or `'append'` mode.
 
+## Security
+
+Use of `remark-autolink-headings` can open you up to a
+[cross-site scripting (XSS)][xss] attack if you pass user provided content in
+`linkProperties` or `content`.
+
+Always be wary of user input and use [`rehype-sanitize`][sanitize].
+
 ## Contribute
 
 See [`contributing.md`][contributing] in [`remarkjs/.github`][health] for ways
@@ -118,10 +126,6 @@ abide by its terms.
 
 <!-- Definitions -->
 
-[MIT][license] © [Ben Briggs][author]
-
-<!-- Definitions -->
-
 [build-badge]: https://img.shields.io/travis/remarkjs/remark-autolink-headings/master.svg
 
 [build]: https://travis-ci.org/remarkjs/remark-autolink-headings
@@ -171,3 +175,7 @@ abide by its terms.
 [rehype-autolink-headings]: https://github.com/rehypejs/rehype-autolink-headings
 
 [hast]: https://github.com/syntax-tree/hast
+
+[xss]: https://en.wikipedia.org/wiki/Cross-site_scripting
+
+[sanitize]: https://github.com/rehypejs/rehype-sanitize