update document, adding Caveats section

Author: dev-javascript

README.md

@@ -11,21 +11,24 @@ Create React component from string
 - [Installation](#installation)
 - [Basic Example](#basic-example)
 - [Using Unknown Elements](#using-unknown-elements)
+- [Caveats](#caveats)
 - [Test](#test)
 - [License](#license)
 
 <!-- tocstop -->
 
 ## Installation
 
+First You need to load `@babel/standalone` in the browser :
+
 ```js
-$ npm install string-to-react-component --save
+<script src="https://unpkg.com/@babel/standalone/babel.min.js"></script>
 ```
 
-Also You need to load `@babel/standalone` in the browser :
+Then install `string-to-react-component` package
 
 ```js
-<script src="https://unpkg.com/@babel/standalone/babel.min.js"></script>
+$ npm install string-to-react-component --save
 ```
 
 ## Basic Example
@@ -55,7 +58,7 @@ function App() {
 
 - The given code inside the string should be a function.
 
-- The given code is executed in the global scope, so imported objects from `react` package including `useState`, `useEffect`, ... are not accessible inside it and you should get them from `React` global variable :
+- The code inside the string is executed in the global scope, so imported objects from `react` package including `useState`, `useEffect`, ... are not accessible inside it and you should get them from `React` global variable :
 
 ```js
 import {useState} from 'react';
@@ -92,6 +95,12 @@ function App() {
 }
 ```
 
+## Caveats
+
+This plugin does not use `eval` function, however, suffers from security and might expose you to XSS attacks
+
+To prevent XSS attacks, You should sanitize user input before storing it.
+
 ## Test
 
 ```js