Added a caution note about the LDAP injection attacks

javiereguiluz · javiereguiluz · commit dfc2867e11a1 · 2017-02-16T17:03:29.000+01:00
diff --git a/security/ldap.rst b/security/ldap.rst
@@ -167,6 +167,13 @@ use the ``ldap`` user provider.
             ),
         );
 
+.. caution::
+
+    The Security component escapes values provided when binding against an LDAP
+    server (likewise for the user provider). However, the LDAP component does
+    not provide any other escaping, so it's your responsibility to prevent
+    the LDAP injection attacks.
+
 The ``ldap`` user provider supports many different configuration options:
 
 service
