diff --git a/webodf/lib/core/UnitTester.js b/webodf/lib/core/UnitTester.js
index dd88fc6b9..ee0be4b57 100644
--- a/webodf/lib/core/UnitTester.js
+++ b/webodf/lib/core/UnitTester.js
@@ -568,6 +568,11 @@ core.UnitTester = function UnitTester() {
      * @return {!string}
      **/
     function link(text, code) {
+        // NASTY HACK, DO NOT RE-USE. String concatenation with uncontrolled user input is a bad idea for building DOM
+        // fragments everyone. If you feel tempted to extract the HTML escape thing from here, please force yourself to
+        // visit http://shebang.brandonmintern.com/foolproof-html-escaping-in-javascript/ first, and learn a better
+        // approach to take.
+
         return "<span style='color:blue;cursor:pointer' onclick='" + code + "'>"
             + text.replace(/</g, "&lt;") + "</span>";
     }