From d9bfac393bc8f2df93a29cf685e7d81c222a59e7 Mon Sep 17 00:00:00 2001
From: Arjen Poutsma <apoutsma@gopivotal.com>
Date: Mon, 12 Aug 2013 12:26:34 +0200
Subject: [PATCH] Added reference to CatchAllConverter

Added reference to CatchAllConverter in both javadoc and reference docs.

Issue: SPR-10821
---
 .../org/springframework/oxm/xstream/XStreamMarshaller.java   | 5 +++--
 src/reference/docbook/oxm.xml                                | 3 +++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
index 1a97a1994b..e51ee27fc2 100644
--- a/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
+++ b/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
@@ -90,8 +90,9 @@ import org.springframework.util.xml.StaxUtils;
  * {@code XStreamMarshaller} to unmarshal XML from external sources</b> (i.e. the Web),
  * as this can result in <b>security vulnerabilities</b>. If you do use the
  * {@code XStreamMarshaller} to unmarshal external XML, set the
- * {@link #setConverters(ConverterMatcher[]) converters} and
- * {@link #setSupportedClasses(Class[]) supportedClasses} properties or override the
+ * {@link #setSupportedClasses(Class[]) supportedClasses} and
+ * {@link #setConverters(ConverterMatcher[]) converters} properties (possibly using a
+ * {@link CatchAllConverter} as the last converter in the list) or override the
  * {@link #customizeXStream(XStream)} method to make sure it only accepts the classes
  * you want it to support.
  *
diff --git a/src/reference/docbook/oxm.xml b/src/reference/docbook/oxm.xml
index aa4d7e2a91..2d717104a3 100644
--- a/src/reference/docbook/oxm.xml
+++ b/src/reference/docbook/oxm.xml
@@ -770,6 +770,9 @@ public class Application {
                 <para>
                   Additionally, you can register <link xl:href="http://static.springsource.org/spring/docs/current/api/org/springframework/oxm/xstream/XStreamMarshaller.html#setConverters(com.thoughtworks.xstream.converters.ConverterMatcher[])">
                   custom converters</link> to make sure that only your supported classes can be unmarshalled.
+                  You might want to add a <classname>CatchAllConverter</classname> as the last converter in the list,
+                  in addition to converters that explicitly support the domain classes that should be supported.
+                  As a result, default XStream converters with lower priorities and possible security vulnerabilities do not get invoked.
                 </para>
             </warning>
           <note>