diff --git a/CHANGELOG.md b/CHANGELOG.md
index 28706fbf..2a4fb29f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,19 @@
+<a name="1.16.0"></a>
+# [1.16.0](https://github.com/Rebilly/ReDoc/compare/v1.15.0...v1.16.0) (2017-05-12)
+
+
+### Bug Fixes
+
+* do not show discriminator dropdown if it is empty ([7a5d315](https://github.com/Rebilly/ReDoc/commit/7a5d315))
+* prevent possible XSS using `untrusted-spec` option ([c0698bb](https://github.com/Rebilly/ReDoc/commit/c0698bb))
+* URL changes so fast ([131b437](https://github.com/Rebilly/ReDoc/commit/131b437)), closes [#252](https://github.com/Rebilly/ReDoc/issues/252)
+
+
+### Features
+
+* display xml examples if present in response examples ([cb106cc](https://github.com/Rebilly/ReDoc/commit/cb106cc))
+
+
 <a name="1.15.0"></a>
 # [1.15.0](https://github.com/Rebilly/ReDoc/compare/v1.14.0...v1.15.0) (2017-05-05)
 
diff --git a/README.md b/README.md
index 068a26be..e60afee1 100644
--- a/README.md
+++ b/README.md
@@ -82,6 +82,8 @@ We host the latest and all the previous ReDoc releases on GitHub Pages-based **C
 ```
 That's all folks!
 
+**IMPORTANT NOTE:** if you work with untrusted user spec, use `untrusted-spec` [option](#redoc-tag-attributes) to prevent XSS security risks.
+
 ### 1. Install ReDoc (skip this step for CDN)
 Install using [bower](bower.io):
 
@@ -131,6 +133,7 @@ ReDoc makes use of the following [vendor extensions](http://swagger.io/specifica
 
 ### `<redoc>` tag attributes
 * `spec-url` - relative or absolute url to your spec file;
+* `untrusted-spec` - if set, the spec is considered untrusted and all HTML/markdown is sanitized to prevent XSS. **Disabled by default** for performance reasons. **Enable this option if you work with untrusted user data!**
 * `scroll-y-offset` - If set, specifies a vertical scroll-offset. This is often useful when there are fixed positioned elements at the top of the page, such as navbars, headers etc;
 `scroll-y-offset` can be specified in various ways:
   * **number**: A fixed number of pixels to be used as offset;
diff --git a/demo/index-gh.html b/demo/index-gh.html
index 17724a03..5835dfc9 100644
--- a/demo/index-gh.html
+++ b/demo/index-gh.html
@@ -22,7 +22,7 @@
       frameborder="0" scrolling="0" width="130px" height="30px"></iframe>
     </nav>
 
-    <redoc scroll-y-offset="body > nav" spec-url='swagger.yaml' lazy-rendering></redoc>
+    <redoc scroll-y-offset="body > nav" spec-url='swagger.yaml' lazy-rendering untrusted-spec></redoc>
 
     <script src="main.js"> </script>
     <script src="./dist/redoc.min.js"> </script>
diff --git a/demo/index.html b/demo/index.html
index ee983bf4..8ef1e02a 100644
--- a/demo/index.html
+++ b/demo/index.html
@@ -22,7 +22,7 @@
       frameborder="0" scrolling="0" width="130px" height="30px"></iframe>
     </nav>
 
-    <redoc scroll-y-offset="body > nav" spec-url='swagger.yaml' lazy-rendering></redoc>
+    <redoc scroll-y-offset="body > nav" spec-url='swagger.yaml' lazy-rendering untrusted-spec></redoc>
 
     <script>
       window.__REDOC_DEV__ = true;
diff --git a/demo/swagger.yaml b/demo/swagger.yaml
index f21ecef5..63a0bcbb 100644
--- a/demo/swagger.yaml
+++ b/demo/swagger.yaml
@@ -617,6 +617,7 @@ paths:
             type: string
           examples:
             application/json: OK
+            application/xml: <message> OK </message>
           headers:
             X-Rate-Limit:
               type: integer
diff --git a/lib/components/JsonSchema/json-schema.html b/lib/components/JsonSchema/json-schema.html
index 8ab87420..07c7853b 100644
--- a/lib/components/JsonSchema/json-schema.html
+++ b/lib/components/JsonSchema/json-schema.html
@@ -83,7 +83,7 @@
               <span *ngIf="prop.pattern" class="param-pattern">{{prop.pattern}}</span>
             </div>
             <div class="param-description" [innerHtml]="prop.description | marked"></div>
-            <div class="discriminator-info" *ngIf="prop.isDiscriminator">
+            <div class="discriminator-info" *ngIf="prop.isDiscriminator && descendants.length">
               <drop-down (change)="selectDescendantByIdx($event)" [active]="activeDescendant.idx">
                 <option *ngFor="let descendant of descendants; let i=index"
                 [value]="i" [attr.selected]="descendant.active ? '' : null" >{{descendant.name}}</option>
diff --git a/lib/components/RequestSamples/request-samples.scss b/lib/components/RequestSamples/request-samples.scss
index 24f42018..cc06902c 100644
--- a/lib/components/RequestSamples/request-samples.scss
+++ b/lib/components/RequestSamples/request-samples.scss
@@ -64,7 +64,7 @@ header {
 }
 
 :host /deep/ tabs ul {
-    padding-top: 10px;
+  padding-top: 10px;
 }
 
 .code-sample pre {
diff --git a/lib/components/ResponsesSamples/responses-samples.ts b/lib/components/ResponsesSamples/responses-samples.ts
index 6e076adb..e977b275 100644
--- a/lib/components/ResponsesSamples/responses-samples.ts
+++ b/lib/components/ResponsesSamples/responses-samples.ts
@@ -3,7 +3,7 @@
 import { Component, Input, OnInit, ChangeDetectionStrategy } from '@angular/core';
 import { BaseComponent, SpecManager } from '../base';
 import JsonPointer from '../../utils/JsonPointer';
-import { statusCodeType, getJsonLike } from '../../utils/helpers';
+import { statusCodeType, getJsonLikeSample } from '../../utils/helpers';
 
 
 function isNumeric(n) {
@@ -11,7 +11,7 @@ function isNumeric(n) {
 }
 
 function hasExample(response) {
-  return ((response.examples && getJsonLike(response.examples)) ||
+  return ((response.examples && getJsonLikeSample(response.examples)) ||
     response.schema);
 }
 
diff --git a/lib/components/SchemaSample/schema-sample.html b/lib/components/SchemaSample/schema-sample.html
index a1a3ec8a..b7791525 100644
--- a/lib/components/SchemaSample/schema-sample.html
+++ b/lib/components/SchemaSample/schema-sample.html
@@ -1,10 +1,26 @@
-<div class="snippet">
-  <!-- in case sample is not available for some reason -->
-  <pre *ngIf="sample == undefined"> Sample unavailable </pre>
-  <div class="action-buttons">
-    <span copy-button [copyText]="sample" class="hint--top-left hint--inversed"> <a>Copy</a> </span>
-    <span> <a *ngIf="enableButtons" (click)="expandAll()">Expand all</a> </span>
-    <span> <a *ngIf="enableButtons" (click)="collapseAll()">Collapse all</a> </span>
+<ng-template #jsonSnippet>
+  <div class="snippet">
+    <!-- in case sample is not available for some reason -->
+    <pre *ngIf="sample == undefined"> Sample unavailable </pre>
+    <div class="action-buttons">
+      <span copy-button [copyText]="sample" class="hint--top-left hint--inversed"> <a>Copy</a> </span>
+      <span> <a *ngIf="enableButtons" (click)="expandAll()">Expand all</a> </span>
+      <span> <a *ngIf="enableButtons" (click)="collapseAll()">Collapse all</a> </span>
+    </div>
+    <pre [innerHtml]="sample | jsonFormatter"></pre>
   </div>
-  <pre [innerHtml]="sample | jsonFormatter"></pre>
-</div>
+</ng-template>
+
+<tabs *ngIf="xmlSample; else jsonSnippet">
+  <tab tabTitle="JSON">
+    <ng-container *ngTemplateOutlet="jsonSnippet"></ng-container>
+  </tab>
+  <tab tabTitle="XML" *ngIf="xmlSample">
+    <div class="snippet">
+      <div class="action-buttons">
+        <span copy-button [copyText]="xmlSample" class="hint--top-left hint--inversed"> <a>Copy</a> </span>
+      </div>
+      <pre class="xml-sample" [innerHtml]="xmlSample | prism:'xml'"></pre>
+    </div>
+  </tab>
+</tabs>
diff --git a/lib/components/SchemaSample/schema-sample.scss b/lib/components/SchemaSample/schema-sample.scss
index 45fdf161..b85f561c 100644
--- a/lib/components/SchemaSample/schema-sample.scss
+++ b/lib/components/SchemaSample/schema-sample.scss
@@ -4,6 +4,34 @@
   display: block;
 }
 
+
+/* tabs */
+
+:host /deep/ tabs {
+  margin-top: 1em;
+  > ul {
+    margin: 0;
+    padding: 0;
+
+    > li {
+      padding: 2px 10px;
+      display: inline-block;
+      background: #131a1d;
+      border-bottom: 1px solid trasparent;
+      color: $sample-panel-headers-color;
+
+      &.active {
+        color: white;
+        border-bottom: 1px solid $sample-panel-headers-color;
+      }
+    }
+  }
+
+  .action-buttons {
+    margin-top: -2em;
+  }
+}
+
 pre {
   background-color: transparent;
   padding: 0;
@@ -99,7 +127,7 @@ pre {
     padding-left: 6px;
   }
 
-  .redoc-json {
+  .redoc-json, .xml-sample {
       overflow-x: auto;
       padding: 20px;
       border-radius: $border-radius*2;
diff --git a/lib/components/SchemaSample/schema-sample.ts b/lib/components/SchemaSample/schema-sample.ts
index a774bd91..00fa9558 100644
--- a/lib/components/SchemaSample/schema-sample.ts
+++ b/lib/components/SchemaSample/schema-sample.ts
@@ -6,7 +6,7 @@ import * as OpenAPISampler from 'openapi-sampler';
 import JsonPointer from '../../utils/JsonPointer';
 import { BaseComponent, SpecManager } from '../base';
 import { SchemaNormalizer } from '../../services/schema-normalizer.service';
-import { getJsonLike } from '../../utils/helpers';
+import { getJsonLikeSample, getXmlLikeSample} from '../../utils/helpers';
 
 @Component({
   selector: 'schema-sample',
@@ -20,6 +20,7 @@ export class SchemaSample extends BaseComponent implements OnInit {
 
   element: any;
   sample: any;
+  xmlSample: string;
   enableButtons: boolean = false;
 
   private _normalizer:SchemaNormalizer;
@@ -34,7 +35,7 @@ export class SchemaSample extends BaseComponent implements OnInit {
     this.bindEvents();
 
     let base:any = this.componentSchema;
-    let sample;
+    let sample, xmlSample;
 
     // got pointer not directly to the schema but e.g. to the response obj
     if (this.componentSchema.schema) {
@@ -50,7 +51,12 @@ export class SchemaSample extends BaseComponent implements OnInit {
       base.examples = requestExamples;
     }
 
-    let jsonLikeSample = base.examples && getJsonLike(base.examples);
+    let xmlLikeSample = base.examples && getXmlLikeSample(base.examples);
+    if (xmlLikeSample) {
+      this.xmlSample = xmlLikeSample;
+    }
+
+    let jsonLikeSample = base.examples && getJsonLikeSample(base.examples);
     if (jsonLikeSample) {
       sample = jsonLikeSample;
     } else {
diff --git a/lib/services/hash.service.ts b/lib/services/hash.service.ts
index 4cdb5964..df381559 100644
--- a/lib/services/hash.service.ts
+++ b/lib/services/hash.service.ts
@@ -1,15 +1,20 @@
 'use strict';
 import { Injectable } from '@angular/core';
 import { PlatformLocation } from '@angular/common';
-
 import { BehaviorSubject } from 'rxjs/BehaviorSubject';
 
+import { debounce } from '../utils/';
+
 @Injectable()
 export class Hash {
   public value = new BehaviorSubject<string | null>(null);
   private noEmit:boolean = false;
+  private debouncedUpdate: (hash:string, rewrite: boolean) => void;
+
   constructor(private location: PlatformLocation) {
     this.bind();
+
+    this.debouncedUpdate = debounce(this._update.bind(this), 100);
   }
 
   start() {
@@ -28,6 +33,10 @@ export class Hash {
   }
 
   update(hash: string|null, rewriteHistory:boolean = false) {
+    this.debouncedUpdate(hash, rewriteHistory);
+  }
+
+  private _update(hash: string|null, rewriteHistory:boolean = false) {
     if (hash == undefined) return;
     if (rewriteHistory) {
       window.history.replaceState(null, '', window.location.href.split('#')[0] + '#' + hash);
@@ -39,4 +48,5 @@ export class Hash {
       this.noEmit = false;
     });
   }
+
 }
diff --git a/lib/services/options.service.ts b/lib/services/options.service.ts
index c861fdcd..c2972ec2 100644
--- a/lib/services/options.service.ts
+++ b/lib/services/options.service.ts
@@ -19,6 +19,7 @@ const OPTION_NAMES = new Set([
   'requiredPropsFirst',
   'noAutoAuth',
   'pathInMiddlePanel',
+  'untrustedSpec'
 ]);
 
 export interface Options {
@@ -33,6 +34,7 @@ export interface Options {
   requiredPropsFirst?: boolean;
   noAutoAuth?: boolean;
   pathInMiddlePanel?: boolean;
+  untrustedSpec?: boolean;
   spec?: any;
 }
 
@@ -101,6 +103,7 @@ export class OptionsService {
     if (isString(this._options.requiredPropsFirst)) this._options.requiredPropsFirst = true;
     if (isString(this._options.noAutoAuth)) this._options.noAutoAuth = true;
     if (isString(this._options.pathInMiddlePanel)) this._options.pathInMiddlePanel = true;
+    if (isString(this._options.untrustedSpec)) this._options.untrustedSpec = true;
     if (isString(this._options.expandResponses)) {
       let str = this._options.expandResponses as string;
       if (str === 'all') return;
diff --git a/lib/utils/helpers.ts b/lib/utils/helpers.ts
index da30e1fc..9ba5da9c 100644
--- a/lib/utils/helpers.ts
+++ b/lib/utils/helpers.ts
@@ -99,6 +99,21 @@ export function throttle(fn, threshhold, scope) {
   };
 }
 
+export function debounce(func, wait, immediate = false) {
+	var timeout;
+	return function() {
+		var context = this, args = arguments;
+		var later = function() {
+			timeout = null;
+			if (!immediate) func.apply(context, args);
+		};
+		var callNow = immediate && !timeout;
+		clearTimeout(timeout);
+		timeout = setTimeout(later, wait);
+		if (callNow) func.apply(context, args);
+	};
+}
+
 export const isSafari = Object.prototype.toString.call(window.HTMLElement).indexOf('Constructor') > 0
   || (function (p) { return p.toString() === '[object SafariRemoteNotification]'; })(!window['safari']
   || safari.pushNotification);
@@ -123,12 +138,26 @@ export function isJsonLike(contentType: string): boolean {
   return contentType.search(/json/i) !== -1;
 }
 
-export function getJsonLike(object: Object) {
-  const jsonLikeKeys = Object.keys(object).filter(isJsonLike);
+export function isXmlLike(contentType: string): boolean {
+  return contentType.search(/xml/i) !== -1;
+}
+
+export function getJsonLikeSample(samples: Object) {
+  const jsonLikeKeys = Object.keys(samples).filter(isJsonLike);
 
   if (!jsonLikeKeys.length) {
     return false;
   }
 
-  return object[jsonLikeKeys.shift()];
+  return samples[jsonLikeKeys[0]];
+}
+
+export function getXmlLikeSample(samples: Object) {
+  const xmlLikeKeys = Object.keys(samples).filter(isXmlLike);
+
+  if (!xmlLikeKeys.length) {
+    return false;
+  }
+
+  return samples[xmlLikeKeys[0]];
 }
diff --git a/lib/utils/pipes.ts b/lib/utils/pipes.ts
index 679ea93d..4f8a7802 100644
--- a/lib/utils/pipes.ts
+++ b/lib/utils/pipes.ts
@@ -6,6 +6,7 @@ import { isString, stringify, isBlank } from './helpers';
 import JsonPointer from './JsonPointer';
 import { MdRenderer } from './';
 import { JsonFormatter } from './JsonFormatterPipe';
+import { OptionsService } from '../services/options.service';
 
 declare var Prism: any;
 
@@ -48,18 +49,19 @@ export class JsonPointerEscapePipe implements PipeTransform {
 @Pipe({ name: 'marked' })
 export class MarkedPipe implements PipeTransform {
   renderer: MdRenderer;
-  constructor(private sanitizer: DomSanitizer) {
+  unstrustedSpec: boolean;
+
+  constructor(private sanitizer: DomSanitizer, optionsService: OptionsService) {
     this.renderer = new MdRenderer(true);
+    this.unstrustedSpec = !!optionsService.options.untrustedSpec;
   }
   transform(value:string) {
     if (isBlank(value)) return value;
     if (!isString(value)) {
       throw new InvalidPipeArgumentException(JsonPointerEscapePipe, value);
     }
-
-    return this.sanitizer.bypassSecurityTrustHtml(
-      `<span class="redoc-markdown-block">${this.renderer.renderMd(value)}</span>`
-    );
+    let res = `<span class="redoc-markdown-block">${this.renderer.renderMd(value)}</span>`;
+    return this.unstrustedSpec ? res : this.sanitizer.bypassSecurityTrustHtml(res);
   }
 }
 
diff --git a/lib/vendor.ts b/lib/vendor.ts
index e6d13941..edbd8669 100644
--- a/lib/vendor.ts
+++ b/lib/vendor.ts
@@ -18,6 +18,7 @@ import 'prismjs/components/prism-bash.js';
 import 'prismjs/components/prism-swift.js';
 import 'prismjs/components/prism-objectivec.js';
 import 'prismjs/components/prism-scala.js';
+import 'prismjs/components/prism-markup.js'; // xml
 
 import 'dropkickjs/build/css/dropkick.css';
 import 'prismjs/themes/prism-dark.css';
diff --git a/package.json b/package.json
index 88671e68..58ade991 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "redoc",
   "description": "Swagger-generated API Reference Documentation",
-  "version": "1.15.0",
+  "version": "1.16.0",
   "repository": {
     "type": "git",
     "url": "git://github.com/Rebilly/ReDoc"
@@ -69,7 +69,6 @@
     "codelyzer": "^3.0.1",
     "conventional-changelog-cli": "^1.3.1",
     "core-js": "^2.4.1",
-    "coveralls": "^2.13.1",
     "css-loader": "^0.28.1",
     "deploy-to-gh-pages": "^1.3.3",
     "dropkickjs": "^2.1.10",
@@ -101,7 +100,7 @@
     "prismjs": "^1.5.1",
     "protractor": "^5.1.1",
     "raw-loader": "^0.5.1",
-    "remarkable": "^1.6.2",
+    "remarkable": "1.7.1",
     "rimraf": "^2.6.1",
     "rxjs": "^5.3.1",
     "sass-loader": "^6.0.3",
diff --git a/tests/unit/helpers.spec.ts b/tests/unit/helpers.spec.ts
index 3cba8224..d6dbcdbd 100644
--- a/tests/unit/helpers.spec.ts
+++ b/tests/unit/helpers.spec.ts
@@ -1,6 +1,12 @@
 'use strict';
 
-import {statusCodeType, isJsonLike, getJsonLike } from '../../lib/utils/helpers';
+import {
+  statusCodeType,
+  isJsonLike,
+  getJsonLikeSample,
+  isXmlLike,
+  getXmlLikeSample
+} from '../../lib/utils/helpers';
 
 describe('Utils', () => {
   describe('statusCodeType', () => {
@@ -41,24 +47,45 @@ describe('Utils', () => {
     });
   });
 
-  describe('getJsonLike', () => {
+  describe('getJsonLikeSample', () => {
     it('Should return a value when a JSON-like key exists', () => {
       const examples = {
-        "application/vnd.api+json": {
-          "message": "Hello World"
+        'application/vnd.api+json': {
+          'message': 'Hello World'
         },
-        "application/xml": "<message>Hello World</message>"
+        'application/xml': '<message>Hello World</message>'
       };
 
-      (getJsonLike(examples).message).should.be.equal("Hello World");
+      (getJsonLikeSample(examples).message).should.be.equal('Hello World');
     });
 
     it('Should return undefined when no JSON-like key exists', () => {
       const examples = {
-        "application/xml": "<message>Hello World</message>"
+        'application/xml': '<message>Hello World</message>'
       };
 
-      getJsonLike(examples).should.be.equal(false);
+      getJsonLikeSample(examples).should.be.equal(false);
     });
-  })
+  });
+
+  describe('getXmlLikeSample', () => {
+    it('Should return a value when a XML-like key exists', () => {
+      const examples = {
+        'application/vnd.api+json': {
+          'message': 'Hello World'
+        },
+        'application/vnd.api+xml': '<message>Hello World</message>'
+      };
+
+      (getXmlLikeSample(examples)).should.be.equal('<message>Hello World</message>');
+    });
+
+    it('Should return undefined when no XML-like key exists', () => {
+      const examples = {
+        'application/json': '<message>Hello World</message>'
+      };
+
+      getXmlLikeSample(examples).should.be.equal(false);
+    });
+  });
 });
diff --git a/yarn.lock b/yarn.lock
index 31414201..25fa97d7 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1117,16 +1117,6 @@ corser@~2.0.0:
   version "2.0.1"
   resolved "https://registry.yarnpkg.com/corser/-/corser-2.0.1.tgz#8eda252ecaab5840dcd975ceb90d9370c819ff87"
 
-coveralls@^2.13.1:
-  version "2.13.1"
-  resolved "https://registry.yarnpkg.com/coveralls/-/coveralls-2.13.1.tgz#d70bb9acc1835ec4f063ff9dac5423c17b11f178"
-  dependencies:
-    js-yaml "3.6.1"
-    lcov-parse "0.0.10"
-    log-driver "1.2.5"
-    minimist "1.2.0"
-    request "2.79.0"
-
 coveralls@~2.11.2:
   version "2.11.16"
   resolved "https://registry.yarnpkg.com/coveralls/-/coveralls-2.11.16.tgz#da9061265142ddee954f68379122be97be8ab4b1"
@@ -4228,7 +4218,7 @@ remap-istanbul@0.8.4:
     source-map ">=0.5.6"
     through2 "2.0.1"
 
-remarkable@^1.6.2:
+remarkable@1.7.1:
   version "1.7.1"
   resolved "https://registry.yarnpkg.com/remarkable/-/remarkable-1.7.1.tgz#aaca4972100b66a642a63a1021ca4bac1be3bff6"
   dependencies: