Document a security risk in the send_file function

Author: miguelgrinberg

src/microdot.py

@@ -444,6 +444,10 @@ def send_file(cls, filename, status_code=200, content_type=None):
         :param content_type: The ``Content-Type`` header to use in the
                              response. If omitted, it is generated
                              automatically from the file extension.
+
+        Security note: The filename is assumed to be trusted. Never pass
+        filenames provided by the user before validating and sanitizing them
+        first.
         """
         if content_type is None:
             ext = filename.split('.')[-1]