Author: Michael Savage <firstname.lastname@example.org>
Date: Mon, 16 Feb 2015 21:17:20 +0000
Add security note
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
@@ -42,7 +42,16 @@ Usage
-Lua will keep plaintext messages and encryption keys around in memory as
-part of its string interning mechanism. As far as I'm aware, there's
-nothing I can do about this.
+Generated keys and ciphertexts will use the full range of ASCII values.
+They should be handled with care - displaying them as-is can introduce
+subtle flaws. For example, keys and ciphertexts can contain quotes,
+which makes them unsafe to insert into SQL queries<sup>1</sup>, HTML and
+JSON. If in doubt, base64/hex encode them.
+<sup>1</sup>: [SQL injection with MD5 hashes][sql]
+Additionally, Lua will keep plaintext messages and encryption keys
+around in memory as part of its string interning mechanism. As far as
+I'm aware, there's nothing I can do about this.