From 28d8a4a88a8c4a402259d1ff5088b6bd8e99719f Mon Sep 17 00:00:00 2001
From: Sam Pullara <spullara@gmail.com>
Date: Mon, 10 May 2021 09:52:09 -0700
Subject: [PATCH] Suggestion from Synk

Document that mustache.java is unsafe for use with untrusted templates by default.
---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index 7d3a07bc..bc1b717c 100644
--- a/README.md
+++ b/README.md
@@ -2,6 +2,9 @@ Mustache.java [![Build Status](https://travis-ci.org/spullara/mustache.java.svg?
 [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fspullara%2Fmustache.java.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Fspullara%2Fmustache.java?ref=badge_shield)
 =============
 
+Mustache.java is not designed to allow untrusted parties to provide templates. It may be possible to lock it down to provide that safely,
+but by default it is UNSAFE.
+
 As of release 0.9.0 mustache.java is now Java 8 only. For Java 6/7 support use 0.8.x.
 
 There are no external dependencies and the compiler library is ~100k.