Add paragraph on security

Closes GH-1010.

packages/remark-cli/readme.md

@@ -302,19 +302,7 @@ compatible with Node.js 16.
 
 ## Security
 
-As markdown can be turned into HTML and improper use of HTML can open you up to
-[cross-site scripting (XSS)][wikipedia-xss] attacks,
-use of remark can be unsafe.
-When going to HTML,
-you will likely combine remark with **[rehype][github-rehype]**,
-in which case you should use
-[`rehype-sanitize`][github-rehype-sanitize].
-
-Use of remark plugins could also open you up to other attacks.
-Carefully assess each plugin and the risks involved in using them.
-
-For info on how to submit a report,
-see our [security policy][health-security].
+See [*§ Security* in `remarkjs/remark`][github-remark-security].
 
 ## Contribute
 
@@ -426,14 +414,12 @@ Support this effort and give back by sponsoring on [OpenCollective][]!
 
 [github-markdown-style-guide]: https://github.com/remarkjs/remark-lint/tree/main/packages/remark-preset-lint-markdown-style-guide
 
-[github-rehype]: https://github.com/rehypejs/rehype
-
-[github-rehype-sanitize]: https://github.com/rehypejs/rehype-sanitize
-
 [github-remark]: https://github.com/remarkjs/remark
 
 [github-remark-core]: https://github.com/remarkjs/remark/tree/main/packages/remark
 
+[github-remark-security]: https://github.com/remarkjs/remark#security
+
 [github-remark-toc]: https://github.com/remarkjs/remark-toc
 
 [github-unified-args]: https://github.com/unifiedjs/unified-args
@@ -448,12 +434,8 @@ Support this effort and give back by sponsoring on [OpenCollective][]!
 
 [health-contributing]: https://github.com/remarkjs/.github/blob/main/contributing.md
 
-[health-security]: https://github.com/remarkjs/.github/blob/main/security.md
-
 [health-support]: https://github.com/remarkjs/.github/blob/main/support.md
 
 [npm-install]: https://docs.npmjs.com/cli/install
 
 [opencollective]: https://opencollective.com/unified
-
-[wikipedia-xss]: https://en.wikipedia.org/wiki/Cross-site_scripting

packages/remark-parse/readme.md

@@ -252,18 +252,7 @@ compatible with Node.js 16.
 
 ## Security
 
-As markdown can be turned into HTML and improper use of HTML can open you up to
-[cross-site scripting (XSS)][wikipedia-xss] attacks,
-use of remark can be unsafe.
-When going to HTML,
-you will combine remark with **[rehype][github-rehype]**,
-in which case you should use [`rehype-sanitize`][github-rehype-sanitize].
-
-Use of remark plugins could also open you up to other attacks.
-Carefully assess each plugin and the risks involved in using them.
-
-For info on how to submit a report,
-see our [security policy][health-security].
+See [*§ Security* in `remarkjs/remark`][github-remark-security].
 
 ## Contribute
 
@@ -387,10 +376,6 @@ Support this effort and give back by sponsoring on [OpenCollective][]!
 
 [github-micromark-extensions]: https://github.com/micromark/micromark#extensions
 
-[github-rehype]: https://github.com/rehypejs/rehype
-
-[github-rehype-sanitize]: https://github.com/rehypejs/rehype-sanitize
-
 [github-remark]: https://github.com/remarkjs/remark
 
 [github-remark-core]: https://github.com/remarkjs/remark/tree/main/packages/remark
@@ -409,6 +394,8 @@ Support this effort and give back by sponsoring on [OpenCollective][]!
 
 [github-remark-plugins]: https://github.com/remarkjs/remark#plugins
 
+[github-remark-security]: https://github.com/remarkjs/remark#security
+
 [github-remark-stringify]: https://github.com/remarkjs/remark/tree/main/packages/remark-stringify
 
 [github-unified]: https://github.com/unifiedjs/unified
@@ -419,14 +406,10 @@ Support this effort and give back by sponsoring on [OpenCollective][]!
 
 [health-contributing]: https://github.com/remarkjs/.github/blob/main/contributing.md
 
-[health-security]: https://github.com/remarkjs/.github/blob/main/security.md
-
 [health-support]: https://github.com/remarkjs/.github/blob/main/support.md
 
 [npm-install]: https://docs.npmjs.com/cli/install
 
 [opencollective]: https://opencollective.com/unified
 
 [typescript]: https://www.typescriptlang.org
-
-[wikipedia-xss]: https://en.wikipedia.org/wiki/Cross-site_scripting

packages/remark-stringify/readme.md

@@ -248,13 +248,7 @@ compatible with Node.js 16.
 
 ## Security
 
-Use of `remark-stringify` is safe.
-
-Use of remark plugins can open you up to attacks.
-Carefully assess each plugin and the risks involved in using them.
-
-For info on how to submit a report,
-see our [security policy][health-security].
+See [*§ Security* in `remarkjs/remark`][github-remark-security].
 
 ## Contribute
 
@@ -394,6 +388,8 @@ Support this effort and give back by sponsoring on [OpenCollective][]!
 
 [github-remark-plugins]: https://github.com/remarkjs/remark#plugins
 
+[github-remark-security]: https://github.com/remarkjs/remark#security
+
 [github-unified]: https://github.com/unifiedjs/unified
 
 [health]: https://github.com/remarkjs/.github
@@ -402,8 +398,6 @@ Support this effort and give back by sponsoring on [OpenCollective][]!
 
 [health-contributing]: https://github.com/remarkjs/.github/blob/main/contributing.md
 
-[health-security]: https://github.com/remarkjs/.github/blob/main/security.md
-
 [health-support]: https://github.com/remarkjs/.github/blob/main/support.md
 
 [npm-install]: https://docs.npmjs.com/cli/install

packages/remark/readme.md

@@ -282,18 +282,7 @@ compatible with Node.js 16.
 
 ## Security
 
-As markdown can be turned into HTML and improper use of HTML can open you up to
-[cross-site scripting (XSS)][wikipedia-xss] attacks,
-use of remark can be unsafe.
-When going to HTML,
-you will combine remark with **[rehype][github-rehype]**,
-in which case you should use [`rehype-sanitize`][github-rehype-sanitize].
-
-Use of remark plugins could also open you up to other attacks.
-Carefully assess each plugin and the risks involved in using them.
-
-For info on how to submit a report,
-see our [security policy][health-security].
+See [*§ Security* in `remarkjs/remark`][github-remark-security].
 
 ## Contribute
 
@@ -411,16 +400,14 @@ Support this effort and give back by sponsoring on [OpenCollective][]!
 
 [github-mdast]: https://github.com/syntax-tree/mdast
 
-[github-rehype]: https://github.com/rehypejs/rehype
-
-[github-rehype-sanitize]: https://github.com/rehypejs/rehype-sanitize
-
 [github-remark]: https://github.com/remarkjs/remark
 
 [github-remark-cli]: https://github.com/remarkjs/remark/tree/main/packages/remark-cli
 
 [github-remark-parse]: https://github.com/remarkjs/remark/tree/main/packages/remark-parse
 
+[github-remark-security]: https://github.com/remarkjs/remark#security
+
 [github-remark-stringify]: https://github.com/remarkjs/remark/tree/main/packages/remark-stringify
 
 [github-unified]: https://github.com/unifiedjs/unified
@@ -431,14 +418,10 @@ Support this effort and give back by sponsoring on [OpenCollective][]!
 
 [health-contributing]: https://github.com/remarkjs/.github/blob/main/contributing.md
 
-[health-security]: https://github.com/remarkjs/.github/blob/main/security.md
-
 [health-support]: https://github.com/remarkjs/.github/blob/main/support.md
 
 [npm-install]: https://docs.npmjs.com/cli/install
 
 [opencollective]: https://opencollective.com/unified
 
 [typescript]: https://www.typescriptlang.org
-
-[wikipedia-xss]: https://en.wikipedia.org/wiki/Cross-site_scripting

readme.md

@@ -496,6 +496,15 @@ When going to HTML,
 you will combine remark with **[rehype][github-rehype]**,
 in which case you should use [`rehype-sanitize`][github-rehype-sanitize].
 
+Another security aspect is DDoS attacks.
+An attacker could cause a crash or slow down with big files.
+Crashes can also originate from smaller payloads,
+often when thousands of things (such as lists or links) are opened.
+It is wise to cap the accepted size of input
+(500kb can hold a big book)
+and to process content in a different thread or worker so that it can be
+stopped when needed.
+
 Use of remark plugins could also open you up to other attacks.
 Carefully assess each plugin and the risks involved in using them.