minor #13688 [ExpressionLanguage] Added a security caution about passing untrusted data (javiereguiluz)

javiereguiluz · javiereguiluz · commit a75126b655f5 · 2020-05-22T13:43:52.000+02:00
This PR was merged into the 3.4 branch. Discussion ---------- [ExpressionLanguage] Added a security caution about passing untrusted data Fixes #8259. Commits ------- 2818f39 [ExpressionLanguage] Added a security caution about passing untrusted data
diff --git a/components/expression_language.rst b/components/expression_language.rst
@@ -107,6 +107,13 @@ PHP type (including objects)::
 For more information, see the :doc:`/components/expression_language/syntax`
 entry, especially :ref:`component-expression-objects` and :ref:`component-expression-arrays`.
 
+.. caution::
+
+    When using variables in expressions, avoid passing untrusted data into the
+    array of variables. If you can't avoid that, sanitize non-alphanumeric
+    characters in untrusted data to prevent malicious users from injecting
+    control characters and altering the expression.
+
 Caching
 -------
 
