diff --git a/docs/en/topics/security.md b/docs/en/topics/security.md
index 714cb8049..be5386d16 100644
--- a/docs/en/topics/security.md
+++ b/docs/en/topics/security.md
@@ -148,10 +148,13 @@ most common XSS vectors.
 However some subtle XSS attacks that exploit HTML parsing bugs need heavier filtering. For greater protection
 you can install the [htmlpurifier](https://github.com/silverstripe-labs/silverstripe-htmlpurifier) module which
 will replace the built in sanitiser with one that uses the [HTML Purifier](http://htmlpurifier.org/) library.
-
 In both cases, you must ensure that you have not configured TinyMCE to explicitly allow script elements or other
 javascript-specific attributes.
 
+For `HTMLText` database fields which aren't edited through `HtmlEditorField`, you also
+have the option to explicitly whitelist allowed tags in the field definition, e.g. `"MyField" => "HTMLText('meta','link')"`.
+The `SiteTree.ExtraMeta` property uses this to limit allowed input.
+
 ##### But I also need my editors to provide javascript
 
 It is not currently possible to allow editors to provide javascript content and yet still protect other users