1 files changed, 30 insertions, 0 deletions

diff --git a/MANUAL.txt b/MANUAL.txt
index c126eb9d2..fb3fda805 100644
--- a/MANUAL.txt
+++ b/MANUAL.txt
@@ -4842,6 +4842,36 @@ which you can modify according to your needs, do
 
 [lua]: http://www.lua.org
 
+A note on security
+==================
+
+If you use pandoc to convert user-contributed content in a web
+application, here are some things to keep in mind:
+
+1. Although pandoc itself will not create or modify any files other
+   than those you explicitly ask it create (with the exception
+   of temporary files used in producing PDFs), a filter or custom
+   writer could in principle do anything on your file system. Please
+   audit filters and custom writers very carefully before using them.
+
+2. If your application uses pandoc as a Haskell library (rather than
+   shelling out to the executable), it is possible to use it in a mode
+   that fully isolates pandoc from your file system, by running the
+   pandoc operations in the `PandocPure` monad. See the document
+   [Using the pandoc API](http://pandoc.org/using-the-pandoc-api.html)
+   for more details.
+
+3. Pandoc's parsers can exhibit pathological performance on some
+   corner cases.  It is wise to put any pandoc operations under
+   a timeout, to avoid DOS attacks that exploit these issues.
+
+4. The HTML generated by pandoc is not guaranteed to be safe.
+   If `raw_html` is enabled for the Markdown input, users can
+   inject arbitrary HTML.  Even if `raw_html` is disabled,
+   users can include dangerous content in attributes for
+   headers, spans, and code blocks.  To be safe, you should
+   run all the generated HTML through an HTML sanitizer.
+
 Authors
 =======