Added notes about XSS when using URIFragments directly

articles/framework/advanced/advanced-urifu.asciidoc

@@ -108,6 +108,8 @@ public class MyUI extends UI {
     }
 
     void enter(String fragment) {
+        // it is good practice to not use the fragment directly but to sanitize it first
+        // since it can be set by the user
         ... initialize the UI ...
     }
 }
@@ -155,7 +157,7 @@ public class MyCustomServlet extends VaadinServlet
             Writer writer = response.getWriter();
             writer.append("<html><body>"+
                 "<p>Here is some crawlable "+
-                "content about " + fragment + "</p>");
+                "content about " + sanitizeHtmlFragment(fragment) + "</p>");
 
             // A list of all crawlable pages
             String items[] = {"mercury", "venus",
@@ -172,6 +174,11 @@ public class MyCustomServlet extends VaadinServlet
         } else
             super.service(request, response);
     }
+
+    private String sanitizeHtmlFragment(String s){
+        // return a String that is safe to use in HTML
+        ... implementation ...
+    }
 }
 ----
 

articles/framework/articles/AccessingWebPageAndBrowserInformation.asciidoc

@@ -38,6 +38,14 @@ page.addUriFragmentChangedListener(new UriFragmentChangedListener() {
 });
 ....
 
+Note: HTML is disabled by default in Notifications, but can be enabled with
+[methodname]#setHtmlContentAllowed(true)#. When enabled, you can use any HTML
+markup in the caption and description of a notification. If it is in any way
+possible to get the notification content from user input, you should either
+disallow HTML or sanitize the content carefully, as noted in
+<<../advanced/advanced-security#advanced.security.sanitizing,"Sanitizing
+User Input to Prevent Cross-Site Scripting">>.
+
 You can access client browser details:
 
 [source,java]