From a6a48dad58359c186412ae90099f4d7e4dd44094 Mon Sep 17 00:00:00 2001
From: Stefan Kalscheuer <stefan@stklcode.de>
Date: Tue, 4 Mar 2025 17:49:22 +0100
Subject: [PATCH] add a note on cross-site-scripting to JS feature description
 (#30)

---
 includes/class-settings.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/includes/class-settings.php b/includes/class-settings.php
index dabfa37..bac36c7 100644
--- a/includes/class-settings.php
+++ b/includes/class-settings.php
@@ -243,7 +243,9 @@ class Settings extends SCLiveticker {
 			'embedded-script',
 			'[embedded_script]',
 			self::$options['embedded_script'],
-			__( 'Allow embedded script evaluation in tick contents. This might be useful for embedded content, e.g. social media integrations.', 'stklcode-liveticker' ),
+			__( 'Allow embedded script evaluation in tick contents. This might be useful for embedded content, e.g. social media integrations.', 'stklcode-liveticker' ) .
+			' ' .
+			__( 'Be aware that this feature potentially enables cross-site scripting, so make sure content is created by trusted people and only enable this if required.', 'stklcode-liveticker' ),
 			__( 'Allow JavaScript in tick content', 'stklcode-liveticker' )
 		);
 	}