diff --git a/README.md b/README.md
index 03793c9..f9babf6 100644
--- a/README.md
+++ b/README.md
@@ -65,6 +65,30 @@ simplemde.value();
simplemde.value("This text will appear in the editor");
```
+## Security
+
+By default simpleMDE does not sanitize user input before rendering markdown to html. This can result in cross site scripting (XSS) vulnerabilities.
+Here is an example of using DOMPurify and Markdown to sanitize the HTML before rendering.
+
+```html
+
+
+
+
+
+
+
+
+
+```
+
## Configuration
- **autoDownloadFontAwesome**: If set to `true`, force downloads Font Awesome (used for icons). If set to `false`, prevents downloading. Defaults to `undefined`, which will intelligently check whether Font Awesome has already been included, then download accordingly.