From 2e808d459f358238c6ecb556f8c733d230537488 Mon Sep 17 00:00:00 2001
From: Titus Wormer <tituswormer@gmail.com>
Date: Wed, 14 Oct 2020 09:31:09 +0200
Subject: [PATCH] stringify: fix security section

---
 packages/remark-stringify/readme.md | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/packages/remark-stringify/readme.md b/packages/remark-stringify/readme.md
index 532bbc600..a2fe8c562 100644
--- a/packages/remark-stringify/readme.md
+++ b/packages/remark-stringify/readme.md
@@ -66,10 +66,17 @@ Then create a wrapper plugin such as [`remark-gfm`][remark-gfm].
 
 ## Security
 
+`remark-stringify` will do its best to serialize markdown to match the syntax
+tree, but there are several cases where that is impossible.
+It’ll do its best, but complete roundtripping is impossible given that any
+value could be injected into the tree.
+
 As Markdown is sometimes used for HTML, and improper use of HTML can open you up
-to a [cross-site scripting (XSS)][xss] attack, use of remark can also be unsafe.
-When going to HTML, use remark in combination with the [**rehype**][rehype]
-ecosystem, and use [`rehype-sanitize`][sanitize] to make the tree safe.
+to a [cross-site scripting (XSS)][xss] attack, use of `remark-stringify` and
+parsing it again later can potentially be unsafe.
+When parsing Markdown afterwards, use remark in combination with the
+[**rehype**][rehype] ecosystem, and use [`rehype-sanitize`][sanitize] to make
+the tree safe.
 
 Use of remark plugins could also open you up to other attacks.
 Carefully assess each plugin and the risks involved in using them.