Move section on code injection to security considerations.

index.html

@@ -6357,6 +6357,54 @@ <h4>Inappropriate Use</h4>
 specific context of their intended application.
         </p>
       </section>
+
+      <section class="informative">
+        <h3>Code Injection</h3>
+
+        <p>
+It is possible for data in [=verifiable credentials=] to include
+executable code or scripting languages. Authors of verifiable credentials are
+advised to avoid doing so, unless necessary, and the risks have been mitigated
+to the extent possible.
+        </p>
+
+        <p>
+For example, when a single natural language string contains multiple languages
+or annotations, the contents of the string might require additional structure or
+markup in order to be presented correctly. It is possible to use markup
+languages, such as HTML, to label spans of text in different languages or to
+supply string-internal markup needed for the proper display of [=bidirectional
+text=]. It is also possible to use the `rdf:HTML` datatype to encode such values
+accurately in JSON-LD.
+        </p>
+
+        <p>
+Despite the ability to encode information as HTML, implementers are strongly
+discouraged from doing so, for the following reasons:
+        </p>
+
+        <ul>
+          <li>
+It requires some version of an HTML processor, which increases the burden of
+processing language and base direction information.
+          </li>
+          <li>
+It increases the security attack surface when utilizing this data model, because
+naively processing HTML could result in the execution of a `script` tag that
+an attacker injected at some point during the data production process.
+          </li>
+        </ul>
+
+        <p>
+If implementers feel they need to use HTML, or other markup languages capable of
+containing executable scripts, to address a specific use case, they are advised
+to analyze how an attacker could use the markup to mount injection attacks
+against a consumer of the markup, and then deploy mitigations against the
+identified attacks, such as running the HTML rendering engine in a sandbox with
+no ability to access the network.
+        </p>
+      </section>
+
     </section>
 
     <section class="informative">
@@ -6539,45 +6587,6 @@ <h3>Providing Default Language and Direction</h3>
         </p>
       </section>
 
-      <section class="informative">
-        <h3>Complex Language Markup</h3>
-
-        <p>
-When a single natural language string contains multiple languages or
-annotations, the contents of the string might require additional structure or
-markup in order to be presented correctly. It is possible to use markup
-languages, such as HTML, to label spans of text in different languages or to
-supply string-internal markup needed for proper display of [=bidirectional
-text=]. It is also possible to use the `rdf:HTML` datatype to
-encode such values accurately in JSON-LD.
-        </p>
-
-        <p>
-Despite the ability to encode information as HTML, implementers are strongly
-discouraged from doing this because it:
-        </p>
-
-        <ul>
-          <li>
-Requires some version of an HTML processor, which increases the burden of
-processing language and base direction information.
-          </li>
-          <li>
-Increases the security attack surface when utilizing this data model because
-blindly processing HTML could result in executing a `script` tag that
-an attacker injected at some point during the data production process.
-          </li>
-        </ul>
-
-        <p>
-If implementers feel they must use HTML, or other markup languages capable of
-containing executable scripts, to address a specific use case, they are advised
-to analyze how an attacker would use the markup to mount injection attacks
-against a consumer of the markup and then deploy mitigations against the
-identified attacks.
-        </p>
-      </section>
-
     </section>
 
     <section class="appendix informative">