From 4e929dbbad9c3b8d2d88f7a44916f14758d39ee5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luc=C3=ADa=20Andrea=20Illanes=20Albornoz?=
 <lucia@luciaillanes.de>
Date: Sat, 20 Apr 2024 11:13:35 +0200
Subject: etc/README.md: updated.

---
 etc/README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/etc/README.md b/etc/README.md
index 908675bf..ef3fd74e 100644
--- a/etc/README.md
+++ b/etc/README.md
@@ -968,6 +968,14 @@ by setting ``ARG_MIRROR_DNAME_GIT=...``.
 [//]: # "{{{ 4.7. Bourne shell coding rules"
 ## 4.7. Bourne shell coding rules
 
+> N.B. Input sanitisation is mandatory whenever input may form part of a parameter name, most usually
+when indexing with input as a key into a (pseudo-)hash, e.g. PKG_ZSH_<...input...>; failing to do so
+may introduce security vulnerabilities (e.g.: $(arbitrary_command) and ${arbitrary_variable} facilitating
+code execution and information disclosure, resp.)  
+Do not use this code and these coding rules if this is not possible or impractical.
+
+*(reproduced from &lbrack;[shrtl](https://github.com/lalbornoz/shrtl/blob/master/README.md)&rbrack;)*
+
 If no rationale is specified for any specific point, the rationale is avoidance of undefined behaviour
 and/or implicit behaviour contingent on often subtle special cases, both of which are prone to cause
 hard to debug or even diagnose bugs.
-- 
cgit v1.2.3