Skip to content

Commit e9d242d

Browse files
valepujaviereguiluz
authored andcommitted
Remove misleading warning
Fixes #17978 The warning I am removing was created after #8259 but the issue used an incorrect regex to show a potential problem which doesn't exist. In my issue I show that it's not actually possible to inject control characters. I would still suggest for someone more involved in symfony development to investigate further, if the expression language is used in the security component this would need more than just a warning
1 parent ccaa7f8 commit e9d242d

File tree

1 file changed

+0
-7
lines changed

1 file changed

+0
-7
lines changed

components/expression_language.rst

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -112,13 +112,6 @@ expressions (e.g. the request, the current user, etc.):
112112
* :doc:`Variables available in service container expressions </service_container/expression_language>`;
113113
* :ref:`Variables available in routing expressions <routing-matching-expressions>`.
114114

115-
.. caution::
116-
117-
When using variables in expressions, avoid passing untrusted data into the
118-
array of variables. If you can't avoid that, sanitize non-alphanumeric
119-
characters in untrusted data to prevent malicious users from injecting
120-
control characters and altering the expression.
121-
122115
.. _expression-language-caching:
123116

124117
Caching

0 commit comments

Comments
 (0)