Add notes on security

Author: wooorm

readme.md

@@ -91,6 +91,12 @@ A comment marker.
     values to numbers and booleans when possible
 *   `node` ([`Node`][node]) — Reference to given node
 
+## Security
+
+Use of `mdast-comment-marker` does not involve [**hast**][hast], user content,
+or change the tree, so there are no openings for
+[cross-site scripting (XSS)][xss] attacks.
+
 ## Contribute
 
 See [`contributing.md` in `syntax-tree/.github`][contributing] for ways to get
@@ -150,3 +156,7 @@ abide by its terms.
 [node]: https://github.com/syntax-tree/unist#node
 
 [marker]: #marker
+
+[xss]: https://en.wikipedia.org/wiki/Cross-site_scripting
+
+[hast]: https://github.com/syntax-tree/hast