Docs

git-svn-id: https://src.springframework.org/svn/spring-framework/trunk@3751 50f2f4bb-b051-0410-bef5-90022cba6387

spring-framework-reference/src/oxm.xml

@@ -667,6 +667,23 @@ public class Application {
     ...
 
 </beans>]]></programlisting>
+            <warning>
+                <para>
+                  By default, XStream allows for arbitrary classes to be unmarshalled, which can result in security
+                  vulnerabilities.
+                  As such, it is recommended to set the <property>supportedClasses</property> property on the
+                  <classname>XStreamMarshaller</classname>, like so:
+                  <programlisting language="xml"><![CDATA[<bean id="xstreamMarshaller" class="org.springframework.oxm.xstream.XStreamMarshaller">
+    <property name="supportedClasses" value="org.springframework.oxm.xstream.Flight"/>
+    ...
+</bean>]]></programlisting>
+                  This will make sure that only the registered classes are eligible for unmarshalling.
+                </para>
+                <para>
+                  Additionally, you can register <ulink url="http://static.springsource.org/spring/docs/3.0.x/javadoc-api/org/springframework/oxm/xstream/XStreamMarshaller.html#setConverters(com.thoughtworks.xstream.converters.ConverterMatcher[])">
+                  custom converters</ulink> to make sure that only your supported classes can be unmarshalled.
+                </para>
+            </warning>
           <note>
               <para>
                   Note that XStream is an XML serialization library, not a data binding library. Therefore, it has