diff --git a/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java index 65fa78a6ee..8bddd56dc1 100644 --- a/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java +++ b/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java @@ -75,8 +75,15 @@ import org.springframework.util.xml.StaxUtils; /** * Implementation of the {@code Marshaller} interface for XStream. * - *
By default, XStream does not require any further configuration, - * though class aliases can be used to have more control over the behavior of XStream. + *
By default, XStream does not require any further configuration and can (un)marshal + * any class on the classpath. As such, it is not recommended to use the + * {@code XStreamMarshaller} to unmarshal XML from external sources (i.e. the Web), as + * this can result in security vulnerabilities. If you do use the + * {@code XStreamMarshaller} to unmarshal external XML, set the + * {@link #setConverters(ConverterMatcher[]) converters} and + * {@link #setSupportedClasses(Class[]) supportedClasses} properties or override the + * {@link #customizeXStream(XStream)} method to make sure it only accepts the classes + * you want it to support. * *
Due to XStream's API, it is required to set the encoding used for writing to OutputStreams.
* It defaults to {@code UTF-8}.
diff --git a/src/reference/docbook/oxm.xml b/src/reference/docbook/oxm.xml
index 1a7cbac17c..aa4d7e2a91 100644
--- a/src/reference/docbook/oxm.xml
+++ b/src/reference/docbook/oxm.xml
@@ -755,7 +755,11 @@ public class Application {