1 files changed, 42 insertions, 0 deletions

diff --git a/README.md b/README.md
index 71d6773..b443472 100644
--- a/README.md
+++ b/README.md
@@ -139,6 +139,48 @@ Here are the differences to be aware of:
     The binding construct `expander-let` must be used, or else the
     variable's global binding must be assigned.
 
+*   CL-WHO has some bugs around attribute handling. When the value of an
+    attribute is a constant expression, only the specific values `T`
+    and `NIL` are treated properly, not constant expressions which evaluate
+    to `T` and `NIL`. Then we see the mistaken attribute values `'NIL` and `'T'`:
+    This works properly in TL-WHO:
+
+        ::text
+        [1]> (in-package :cl-who)
+        #<PACKAGE CL-WHO>
+        WHO[2]> (with-html-output-to-string (str)
+                  (:foo :bar t))
+        "<foo bar='bar'></foo>"
+        WHO[3]> (with-html-output-to-string (str)
+                  (:foo :bar (quote t)))
+        "<foo bar='T'></foo>"
+        WHO[4]> (with-html-output-to-string (str)
+                  (:foo :bar nil))
+        "<foo></foo>"
+        WHO[5]> (with-html-output-to-string (str)
+                  (:foo :bar 'nil))
+        "<foo bar='NIL'></foo>"
+
+*   TL-WHO fixes the issue that CL-WHO doesn't HTML-escape the values of
+    attributes, and that its local macro `fmt` likewise doesn't escape.
+    This is a potential security issue, because if an untrusted value
+    is interpolated, it can be a vector for an injection attack.
+    The special variable `*cl-who-compat*` can be set true to disable the
+    escaping, but is not recommended.
+
+        ::text
+        [1]> (in-package :cl-who)
+        #<PACKAGE CL-WHO>
+        WHO[2]> (with-html-output-to-string (out)
+                  (:a :href "https://example.com'>malicious here</a><a href='blah" "click me"))
+        "<a href='https://example.com'>malicious here</a><a href='blah'>click me</a>"
+
+*   TL-WHO provides a `noesc` syntax. When the value of an attribute is
+    expressed as `(noesc <expr>)`, escaping is disabled:
+
+        ::text
+        (:a :href (noesc trusted-url) "click me")
+
 Additionally, users (of CL-WHO and TL-WHO alike) are advised to watch for the
 following issue: the CL-WHO documentation is not accurately maintained and
 makes some references to material that no longer exists in CL-WHO, such as the