Merge branch 'master' into develop

CHANGELOG.md

@@ -62,3 +62,4 @@ The system, however, is not final and will probably be changed until the final v
 
    If you're using angular integration, you should install ng-showdown. Ex: `bower install ng-showdown`
 
+* **extensions:** showdown extensions were removed from core package and now live in their own repository. See the [project's github page](https://github.com/showdownjs) for available extensions

README.md

@@ -27,6 +27,10 @@ You can also use github CDN directly in your html file(s).
 
     https://cdn.rawgit.com/showdownjs/showdown/<version tag>/dist/showdown.min.js
 
+## Changelog
+
+You can check the full changelog at https://github.com/showdownjs/showdown/blob/master/CHANGELOG.md
+
 ## Browser Compatibility
 
 Showdown has been tested successfully with:
@@ -155,6 +159,16 @@ var thisConverterSpecificOptions = conveter.getOptions();
 ShowdownJS project also provides seamlessly integration with AngularJS via a "plugin".
 Please visit https://github.com/showdownjs/ngShowdown for more information.
 
+## XSS vulnerability
+
+Showdown doesn't sanitize the input. This is by design since markdown relies on it to allow certain features to be correctly parsed into HTML. This, however, means XSS injection is quite possible.
+
+If you use showdown to parse untrusted input (such as user contributed data), you should: 
+
+ - DEFINITELY sanitize the content but only AFTER converting to HTML, not before.
+ - PREFERABLY that should be done server side, not client side.
+
+There are a couple of libraries in the wild for your preferred language.
 
 ## Extensions