duckduckgo · moollaza · Mar 11, 2014 · Mar 9, 2014 · Mar 11, 2014 · Mar 11, 2014
diff --git a/duckduckhack/resources/faq.md b/duckduckhack/resources/faq.md
@@ -81,11 +81,13 @@ Sure -- check out [our partnerships page](http://help.duckduckgo.com/customer/po
 
 ## Goodie
 
-### Can Goodie instant answers make HTTP requests?
+### Can Goodie instant answers make network requests?
 
-Sorry, but unfortunately not. You might want to consider creating a Spice instant answer if you are trying to use an API.
+No. If you are trying to use an API, you should consider creating a Spice instant answer instead.
 
-(This section is still growing! Know what should go here? Then **please** [contribute to the documentation](https://github.com/duckduckgo/duckduckgo-documentation/blob/master/CONTRIBUTING.md)!)
+### Can Goodie instant answers include the user's query string?
+
+They probably shouldn't.  There is a lot of potential for [cross-site scripting attacks](https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29) when working with user-supplied strings.  While the platform attempts to mitigate these issues in pure ASCII responses, HTML responses should **never** include a raw query string. It is safest to return only data which is generated by your Goodie itself.
 
 ## Spice
 

diff --git a/duckduckhack/submitting-your-instant-answer/developer_checklist.md b/duckduckhack/submitting-your-instant-answer/developer_checklist.md
@@ -13,17 +13,20 @@ Before your instant answer is ready to be submitted, please go over this checkli
 (Know what should go here? Then **please** [contribute to the documentation](https://github.com/duckduckgo/duckduckgo-documentation/blob/master/CONTRIBUTING.md)!)
 
 - Can this instant answer return unsafe content (bad words, etc)
-  - Did you set `is_unsafe` to true?
+     - Did you set `is_unsafe` to true?
+
+- Can this instant answer return an HTML response?
+     - Have you guaranteed that the response does not contain user-supplied strings (e.g. the query string) which could lead to [cross-site scripting attacks](https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29)?
 
 ## Spice
 
 (Know what should go here? Then **please** [contribute to the documentation](https://github.com/duckduckgo/duckduckgo-documentation/blob/master/CONTRIBUTING.md)!)
 
 - Did you write any custom css?
-  - If so, did you namespace the css? (every instant answer has a div with id="spice_<template_name>", use that to target your styles so you don't overwrite any global styles)
+    - Did you namespace the css? (every instant answer has a div with id="spice_<template_name>", use that to target your styles so you don't overwrite any global styles)
 
 - Can this instant answer return unsafe content (bad words, etc)
-  - Did you set `is_unsafe` to true?
+    - Did you set `is_unsafe` to true?
 
 ## Fathead