[epiphany/mcatanzaro/#1612: 3/14] Add anti-XSS rules to HACKING file

[Marge Bot <marge-bot src gnome org>]

commit 2f0fcea640b6219e55ceb02aba796158e49650a4
Author: Michael Catanzaro <mcatanzaro redhat com>
Date:   Tue Dec 14 16:42:30 2021 -0600

    Add anti-XSS rules to HACKING file
    
    Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045>

 HACKING.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)
---
diff --git a/HACKING.md b/HACKING.md
index 545d7c960..8a050769f 100644
--- a/HACKING.md
+++ b/HACKING.md
@@ -167,6 +167,19 @@ more `WebKitWebExtension`s (web process extensions). Meanwhile, each
 `WebKitWebView` will have one or more `WebKitWebPage`s. Only one page will be
 active in a view at a given time: the other pages are for process swaps.
 
+# Security
+
+When injecting untrusted data into web content, you need to properly encode the
+data for the relevant context in order to prevent XSS vulnerabilities. For
+example: page titles could be malicious, URLs could be malicious, web app IDs
+could be malicious, etc. You must carefully read and understand the [OWASP
+XSS Prevention 
rules](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
+or you will mess up. `lib/ephy-output-encoding.h` contains functions to help
+with this.
+
+When working with JavaScript, pay particular attention to Rule #8 "Prevent DOM-
+based XSS" as it is tricky and requires care throughout your JavaScript.
+
 # Debugging
 
 To enable debugging use the configure option `-Ddeveloper_mode=true`.