[ExpressionLanguage] Added a security caution about passing untrusted data

javiereguiluz · javiereguiluz · commit 2818f3931c3f · 2020-05-20T17:11:37.000+02:00
diff --git a/components/expression_language.rst b/components/expression_language.rst
@@ -107,6 +107,13 @@ PHP type (including objects)::
 For more information, see the :doc:`/components/expression_language/syntax`
 entry, especially :ref:`component-expression-objects` and :ref:`component-expression-arrays`.
 
+.. caution::
+
+    When using variables in expressions, avoid passing untrusted data into the
+    array of variables. If you can't avoid that, sanitize non-alphanumeric
+    characters in untrusted data to prevent malicious users from injecting
+    control characters and altering the expression.
+
 Caching
 -------
 
