pandao · huntr-helper · Mar 25, 2020 · Mar 27, 2020 · Apr 3, 2020 · Sep 9, 2020
diff --git a/README.md b/README.md
@@ -40,8 +40,8 @@
 - 支持 AMD / CMD 模块化加载（支持 [Require.js](https://pandao.github.io/editor.md/examples/use-requirejs.html) & [Sea.js](https://pandao.github.io/editor.md/examples/use-seajs.html)），并且支持[自定义扩展插件](https://pandao.github.io/editor.md/examples/define-plugin.html)；
 - 兼容主流的浏览器（IE8+）和 [Zepto.js](https://pandao.github.io/editor.md/examples/use-zepto.html)，且支持 iPad 等平板设备；
 
-#### Download & install
-
+#### Download & install
+
 Download:
 
 [Github download](https://github.com/pandao/editor.md/archive/master.zip)
@@ -58,23 +58,23 @@ Bower install :
 bower install editor.md
 ```
 
-#### Usages
-
+#### Usages
+
 ##### Create a Markdown editor
 
 ```html
 <link rel="stylesheet" href="editor.md/css/editormd.min.css" />
-<div id="editor">
+<div id="editor">
     <!-- Tips: Editor.md can auto append a `<textarea>` tag -->
     <textarea style="display:none;">### Hello Editor.md !</textarea>
 </div>
 <script src="jquery.min.js"></script>
 <script src="editor.md/editormd.min.js"></script>
 <script type="text/javascript">
     $(function() {
-        var editor = editormd("editor", {
-            // width: "100%",
-            // height: "100%",
+        var editor = editormd("editor", {
+            // width: "100%",
+            // height: "100%",
             // markdown: "xxxx",     // dynamic set Markdown text
             path : "editor.md/lib/"  // Autoload modules mode, codemirror, marked... dependents libs path
         });
@@ -85,13 +85,13 @@ bower install editor.md
 If you using modular script loader:
 
 - [Using Require.js](https://github.com/pandao/editor.md/tree/master/examples/use-requirejs.html)
-- [Using Sea.js](https://github.com/pandao/editor.md/tree/master/examples/use-seajs.html)
-
-##### Markdown to HTML
-
+- [Using Sea.js](https://github.com/pandao/editor.md/tree/master/examples/use-seajs.html)
+
+##### Markdown to HTML
+
 ```html
 <link rel="stylesheet" href="editormd/css/editormd.preview.css" />
-<div id="test-markdown-view">
+<div id="test-markdown-view">
     <!-- Server-side output Markdown text -->
     <textarea style="display:none;">### Hello world!</textarea>             
 </div>
@@ -104,27 +104,27 @@ If you using modular script loader:
 	    var testView = editormd.markdownToHTML("test-markdown-view", {
             // markdown : "[TOC]\n### Hello world!\n## Heading 2", // Also, you can dynamic set Markdown text
             // htmlDecode : true,  // Enable / disable HTML tag encode.
-            // htmlDecode : "style,script,iframe",  // Note: If enabled, you should filter some dangerous HTML tags for website security.
-        });
-    });
-</script>    
-```
-
-> See the full example: [http://editor.md.ipandao.com/examples/html-preview-markdown-to-html.html](http://editor.md.ipandao.com/examples/html-preview-markdown-to-html.html)
-
-##### HTML to Markdown?
-
+            // htmlDecode : "style,script,iframe|on*",  // Note: If enabled, you should filter some dangerous HTML tags for website security, you can also filter trigers.
+        });
+    });
+</script>    
+```
+
+> See the full example: [http://editor.md.ipandao.com/examples/html-preview-markdown-to-html.html](http://editor.md.ipandao.com/examples/html-preview-markdown-to-html.html)
+
+##### HTML to Markdown?
+
 Sorry, Editor.md not support HTML to Markdown parsing, Maybe In the future.
 
 #### Examples
 
-[https://pandao.github.io/editor.md/examples/index.html](https://pandao.github.io/editor.md/examples/index.html)
-
-#### Options
-
-Editor.md options and default values:
-
-```javascript
+[https://pandao.github.io/editor.md/examples/index.html](https://pandao.github.io/editor.md/examples/index.html)
+
+#### Options
+
+Editor.md options and default values:
+
+```javascript
 {
     mode                 : "gfm",          // gfm or markdown
     name                 : "",             // Form element name for post
@@ -229,19 +229,36 @@ Editor.md options and default values:
         name        : "zh-cn",
         description : "开源在线Markdown编辑器<br/>Open source online Markdown editor.",
         tocTitle    : "目录",
-        toolbar     : {
-            //...
-        },
-        button: {
-            //...
+        toolbar     : {
+            //...
+        },
+        button: {
+            //...
         },
-        dialog : {
-            //...
-        }
-        //...
-    }
-}
+        dialog : {
+            //...
+        }
+        //...
+    }
+}
+```
+
+#### Avoid XSS
+
+Script and events are disabled by default to avoid XSS
+
+If you want to enable you need to pass in htmlDecode:
+
+allowScript as FilterTag
+allowOn as FilterAttribute
+
 ```
+htmlDecode : "allowScript|allowOn"
+```
+
+extra filters can be set in coma separated list format
+
+Be warned that enabled scripting can be dangerous and lead to [XSS attacks](https://en.wikipedia.org/wiki/Cross-site_scripting)
 
 #### Dependents