diff --git a/CHANGES.rst b/CHANGES.rst
index c236de13..cbcfd7a5 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -28,6 +28,12 @@ Released on XXX
 
 * Cease supporting Python 3.2 (in both CPython and PyPy forms).
 
+* Fix #11, avoiding the XSS bug potentially caused by serializer allowing
+  attribute values to be escaped out of in old browser versions, changing
+  the quote_attr_values option on serializer to take one of three values,
+  "always" (the old True value), "legacy" (the new option, and the new
+  default), and "spec" (the old False value, and the old default).
+
 
 0.9999999/1.0b8
 ~~~~~~~~~~~~~~~