From c47d8ffd05e3ca9a5466f70c374bebed4492a1b9 Mon Sep 17 00:00:00 2001
From: "David A. Wheeler" <dwheeler@dwheeler.com>
Date: Fri, 26 Jan 2018 15:04:42 -0500
Subject: [PATCH] Document doesn't use dangerous Nokogiri config

---
 README.rdoc | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/README.rdoc b/README.rdoc
index 95693f08..dd08ebf8 100644
--- a/README.rdoc
+++ b/README.rdoc
@@ -257,6 +257,16 @@ And the mailing list is on librelist:
 
 And the IRC channel is \#loofah on freenode.
 
+== Security
+
+Some tools may incorrectly report loofah is a potential security vulnerability.
+Loofah depends on Nokogiri, and it's possible to use Nokogiri in a dangerous way
+(by enabling its DTDLOAD option and disabling its NONET option).
+This dangerous Nokogiri configuration, which is sometimes used by other components,
+can create an XML External Entity (XXE) vulnerability if the XML data is not trusted.
+However, loofah never enables this dangerous Nokogiri configuration;
+loofah never enables DTDLOAD, and it never disables NONET.
+
 == Related Links
 
 * Nokogiri: http://nokogiri.org