Commenting the security issue from the end of explainer for visibility.

I’m having flashbacks to the Java serialize vulnerabilities from a couple years ago.

ECMAScript and JSON do not have the same set of escape characters:

``` Note: It’s crucially important to post-process user-controlled input to escape any special character sequences, depending on the context. In this particular case, we’re injecting into a tag, so we must (also) escape