From 8517b6f386b1e73bd264c28d1cda660d8147147b Mon Sep 17 00:00:00 2001
From: Rishabh <rishabh.nambiar@discourse.org>
Date: Wed, 28 Apr 2021 15:02:55 +0530
Subject: [PATCH] DOCS: we use xss.js and not Google Caja (#12866)

The text is out of date as we migrated to xss.js quite some time ago.
---
 docs/SECURITY.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/SECURITY.md b/docs/SECURITY.md
index ee485b5f055..cd44bf92b4a 100644
--- a/docs/SECURITY.md
+++ b/docs/SECURITY.md
@@ -25,7 +25,7 @@ There are 3 main scenarios we protect against:
 
 1. **Markdown preview invokes an XSS.** This is possibly severe in one specific case: when a forum staff member edits a user's post, seeing the raw markup, where a malicious user may have inserted code to run JavaScript. This code would only show up in the preview, but it would run in the context of a forum staff member, which is *very* bad.
 
-2. **Markdown displayed on the page invokes an XSS.** To protect against client side preview XSS, Discourse uses [Google Caja](https://developers.google.com/caja/) in the preview window.
+2. **Markdown displayed on the page invokes an XSS.** To protect against client side preview XSS, Discourse uses [xss.js](https://jsxss.com/en/index.html) in the preview window.
 
 3. **CSP is on by default** for [all Discourse installations](https://meta.discourse.org/t/mitigate-xss-attacks-with-content-security-policy/104243) as of Discourse 2.2. It can be switched off in the site settings, but it is default on.