Add a paragraph about injection safety (#1161)

* Add a paragraph about injection safety

* Rewrite into Security and Handling errors

* minor edits to the suggested whitelist

README.md

@@ -42,6 +42,26 @@ var html = katex.renderToString("c = \\pm\\sqrt{a^2 + b^2}");
 
 Make sure to include the CSS and font files, but there is no need to include the JavaScript. Like `render`, `renderToString` throws if it can't parse the expression.
 
+#### Security
+
+Any HTML generated by KaTeX *should* be safe from `<script>` or other code
+injection attacks.
+(See `maxSize` below for preventing large width/height visual affronts.)
+Of course, it is always a good idea to sanitize the HTML, though you will need
+a rather generous whitelist (including some of SVG and MathML) to support 
+all of KaTeX.
+
+#### Handling errors
+
+If KaTeX encounters an error (invalid or unsupported LaTeX), then it will
+throw an exception of type `katex.ParseError`.  The message in this error
+includes some of the LaTeX source code, so needs to be escaped if you want
+to render it to HTML.  In particular, you should convert `&`, `<`, `>`
+characters to `&amp;`, `&lt;`, `&gt;` (e.g., using `_.escape`)
+before including either LaTeX source code or exception messages in your
+HTML/DOM.  (Failure to escape in this way makes a `<script>` injection
+attack possible if your LaTeX source is untrusted.)
+
 #### Rendering options
 
 You can provide an object of options as the last argument to `katex.render` and `katex.renderToString`. Available options are: