Note that violation reports are attacker controlled.

index.html

@@ -4820,6 +4820,11 @@ <h3 class="heading settled" data-level="7.4" id="security-violation-reports"><sp
   sensitive information contained in the redirected URL, such as session
   identifiers or purported identities. For this reason, the user agent includes
   only the URL of the original request, not the redirect target.</p>
+    <p>Note also that violation reports should be considered attacker-controlled data. Developers who
+  wish to collect violation reports in a dashboard or similar service should be careful to properly
+  escape their content before rendering it (and should probably themselves use CSP to further
+  mitigate the risk of injection). This is especially true for the "<code>script-sample</code>" property of
+  violation reports, and the <code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-sample" id="ref-for-dom-securitypolicyviolationevent-sample-3">sample</a></code> property of <code class="idl"><a data-link-type="idl" href="#securitypolicyviolationevent" id="ref-for-securitypolicyviolationevent-4">SecurityPolicyViolationEvent</a></code>, which are both completely attacker-controlled strings.</p>
    </section>
    <section>
     <h2 class="heading settled" data-level="8" id="authoring-considerations"><span class="secno">8. </span><span class="content">Authoring Considerations</span><a class="self-link" href="#authoring-considerations"></a></h2>
@@ -6779,6 +6784,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
     Obtain the deprecated serialization of violation </a>
     <li><a href="#ref-for-securitypolicyviolationevent-2">5.3. 
     Report a violation </a> <a href="#ref-for-securitypolicyviolationevent-3">(2)</a>
+    <li><a href="#ref-for-securitypolicyviolationevent-4">7.4. Violation Reports</a>
    </ul>
   </aside>
   <aside class="dfn-panel" data-for="dom-securitypolicyviolationevent-documenturi">
@@ -6837,6 +6843,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
     Obtain the deprecated serialization of violation </a>
     <li><a href="#ref-for-dom-securitypolicyviolationevent-sample-2">5.3. 
     Report a violation </a>
+    <li><a href="#ref-for-dom-securitypolicyviolationevent-sample-3">7.4. Violation Reports</a>
    </ul>
   </aside>
   <aside class="dfn-panel" data-for="dom-securitypolicyviolationevent-disposition">

index.src.html

@@ -3965,6 +3965,13 @@ <h3 id="security-violation-reports">Violation Reports</h3>
   sensitive information contained in the redirected URL, such as session
   identifiers or purported identities. For this reason, the user agent includes
   only the URL of the original request, not the redirect target.
+
+  Note also that violation reports should be considered attacker-controlled data. Developers who
+  wish to collect violation reports in a dashboard or similar service should be careful to properly
+  escape their content before rendering it (and should probably themselves use CSP to further
+  mitigate the risk of injection). This is especially true for the "`script-sample`" property of
+  violation reports, and the {{SecurityPolicyViolationEvent/sample}} property of
+  {{SecurityPolicyViolationEvent}}, which are both completely attacker-controlled strings.
 </section>
 
 <!-- Big text: Authoring -->