Clarify security considerations.
The exclusion of scripts, applets, binary objects, and other potentially executable code from XHTML-IM reduces the risk of exposure to harmful or malicious objects caused by inclusion of XHTML content. To further reduce the risk of such exposure, an implementation MAY choose to:
+While scripts, applets, binary objects and other potentially executable code is excluded from the profiles used in XHTML-IM, malicious entities still may inject those and thus exploit entities which rely on this exclusion. Entities thus MUST assume that inbound XHTML-IM may be mailicious and MUST sanitize it according to the profile used, by ignoring elements and removing attributes as needed.
+To further reduce the risk of such exposure, an implementation MAY choose to: