expand section on copy/paste security

docs/security.rst

@@ -259,21 +259,28 @@ certificate key to prevent MITM attacks.
 
 - https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
 
-Copy/Paste Security Issues
-~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-If your website allows users to upload their own code, hidden characters
+Copy/Paste to Terminal
-such as the backspace character (``\b``, ``^H``) can cause the code to
+----------------------
-have a different meaning when copy and pasted into terminals.
+
+Hidden characters such as the backspace character (``\b``, ``^H``) can
+cause text to render differently in HTML than how it is interpreted if
+`pasted into a terminal <https://security.stackexchange.com/q/39118>`__.
 
 For example, ``import y\bose\bm\bi\bt\be\b`` renders as
-``import yosemite`` but becomes ``import os`` when pasted in a terminal.
+``import yosemite`` in HTML, but the backspaces are applied when pasted
+into a terminal, and it becomes ``import os``.
 
-Consider applying extra filtering, such as replacing all ``\b``
+If you expect users to copy and paste untrusted code from your site,
-characters.
+such as from comments posted by users on a technical blog, consider
+applying extra filtering, such as replacing all ``\b`` characters.
 
 .. code-block:: python
 
     body = body.replace("\b", "")
 
-- https://security.stackexchange.com/q/39118
+Most modern terminals will warn about and remove hidden characters when
+pasting, so this isn't strictly necessary. It's also possible to craft
+dangerous commands in other ways that aren't possible to filter.
+Depending on your site's use case, it may be good to show a warning
+about copying code in general.