Skip to content

Commit 2818f39

Browse files
committed
[ExpressionLanguage] Added a security caution about passing untrusted data
1 parent 0510d03 commit 2818f39

File tree

1 file changed

+7
-0
lines changed

1 file changed

+7
-0
lines changed

components/expression_language.rst

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -107,6 +107,13 @@ PHP type (including objects)::
107107
For more information, see the :doc:`/components/expression_language/syntax`
108108
entry, especially :ref:`component-expression-objects` and :ref:`component-expression-arrays`.
109109

110+
.. caution::
111+
112+
When using variables in expressions, avoid passing untrusted data into the
113+
array of variables. If you can't avoid that, sanitize non-alphanumeric
114+
characters in untrusted data to prevent malicious users from injecting
115+
control characters and altering the expression.
116+
110117
Caching
111118
-------
112119

0 commit comments

Comments
 (0)