[ExpressionLanguage] Added a security caution about passing untrusted data

Author: javiereguiluz

components/expression_language.rst

@@ -107,6 +107,13 @@ PHP type (including objects)::
 For more information, see the :doc:`/components/expression_language/syntax`
 entry, especially :ref:`component-expression-objects` and :ref:`component-expression-arrays`.
 
+.. caution::
+
+    When using variables in expressions, avoid passing untrusted data into the
+    array of variables. If you can't avoid that, sanitize non-alphanumeric
+    characters in untrusted data to prevent malicious users from injecting
+    control characters and altering the expression.
+
 Caching
 -------