Added reference to CatchAllConverter

Added reference to CatchAllConverter in both javadoc and reference docs.

Issue: SPR-10821

spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java

@@ -90,8 +90,9 @@ import org.springframework.util.xml.StaxUtils;
  * {@code XStreamMarshaller} to unmarshal XML from external sources</b> (i.e. the Web),
  * as this can result in <b>security vulnerabilities</b>. If you do use the
  * {@code XStreamMarshaller} to unmarshal external XML, set the
- * {@link #setConverters(ConverterMatcher[]) converters} and
- * {@link #setSupportedClasses(Class[]) supportedClasses} properties or override the
+ * {@link #setSupportedClasses(Class[]) supportedClasses} and
+ * {@link #setConverters(ConverterMatcher[]) converters} properties (possibly using a
+ * {@link CatchAllConverter} as the last converter in the list) or override the
  * {@link #customizeXStream(XStream)} method to make sure it only accepts the classes
  * you want it to support.
  *

src/reference/docbook/oxm.xml

@@ -770,6 +770,9 @@ public class Application {
                 <para>
                   Additionally, you can register <link xl:href="http://static.springsource.org/spring/docs/current/api/org/springframework/oxm/xstream/XStreamMarshaller.html#setConverters(com.thoughtworks.xstream.converters.ConverterMatcher[])">
                   custom converters</link> to make sure that only your supported classes can be unmarshalled.
+                  You might want to add a <classname>CatchAllConverter</classname> as the last converter in the list,
+                  in addition to converters that explicitly support the domain classes that should be supported.
+                  As a result, default XStream converters with lower priorities and possible security vulnerabilities do not get invoked.
                 </para>
             </warning>
           <note>