Merge branch '5.4' into 6.3

* 5.4: Mutate some `cautions` to `dangers`
maxxer · Dec 26, 2023 · a750ec5 · a750ec5
2 parents 20dca7d + 564a3ac
commit a750ec5
Show file tree

Hide file tree

Showing 16 changed files with 18 additions and 18 deletions.
diff --git a/components/http_foundation.rst b/components/http_foundation.rst
@@ -841,7 +841,7 @@ class, which can make this even easier::
 The ``JsonResponse`` class sets the ``Content-Type`` header to
 ``application/json`` and encodes your data to JSON when needed.
 
-.. caution::
+.. danger::
 
     To avoid XSSI `JSON Hijacking`_, you should pass an associative array
     as the outermost array to ``JsonResponse`` and not an indexed array so

diff --git a/components/lock.rst b/components/lock.rst
@@ -824,7 +824,7 @@ instance, to clean up the ``/tmp`` directory or after a reboot of the machine
 when a directory uses ``tmpfs``. It's not an issue if the lock is released when
 the process ended, but it is in case of ``Lock`` reused between requests.
 
-.. caution::
+.. danger::
 
     Do not store locks on a volatile file system if they have to be reused in
     several requests.
@@ -857,7 +857,7 @@ When the Memcached service is shared and used for multiple usage, Locks could be
 removed by mistake. For instance some implementation of the PSR-6 ``clear()``
 method uses the Memcached's ``flush()`` method which purges and removes everything.
 
-.. caution::
+.. danger::
 
     The method ``flush()`` must not be called, or locks should be stored in a
     dedicated Memcached service away from Cache.
@@ -965,7 +965,7 @@ be lost without notifying the running processes.
 When the Redis service is shared and used for multiple usages, locks could be
 removed by mistake.
 
-.. caution::
+.. danger::
 
     The command ``FLUSHDB`` must not be called, or locks should be stored in a
     dedicated Redis service away from Cache.

diff --git a/components/process.rst b/components/process.rst
@@ -247,7 +247,7 @@ are done doing other stuff::
     **synchronously** inside this event. Be aware that ``kernel.terminate``
     is called only if you use PHP-FPM.
 
-.. caution::
+.. danger::
 
     Beware also that if you do that, the said PHP-FPM process will not be
     available to serve any new request until the subprocess is finished. This

diff --git a/components/yaml.rst b/components/yaml.rst
@@ -239,7 +239,7 @@ And parse them by using the ``PARSE_OBJECT`` flag::
 The YAML component uses PHP's ``serialize()`` method to generate a string
 representation of the object.
 
-.. caution::
+.. danger::
 
     Object serialization is specific to this implementation, other PHP YAML
     parsers will likely not recognize the ``php/object`` tag and non-PHP

diff --git a/configuration.rst b/configuration.rst
@@ -748,7 +748,7 @@ To do so, define a parameter with the same name as the env var using this syntax
     always exists, because its value will be ``null`` when the related env var
     is not defined.
 
-.. caution::
+.. danger::
 
     Beware that dumping the contents of the ``$_SERVER`` and ``$_ENV`` variables
     or outputting the ``phpinfo()`` contents will display the values of the

diff --git a/configuration/secrets.rst b/configuration/secrets.rst
@@ -47,7 +47,7 @@ running:
 This will generate ``config/secrets/prod/prod.encrypt.public.php`` and
 ``config/secrets/prod/prod.decrypt.private.php``.
 
-.. caution::
+.. danger::
 
     The ``prod.decrypt.private.php`` file is highly sensitive. Your team of developers
     and even Continuous Integration services don't need that key. If the

diff --git a/controller.rst b/controller.rst
@@ -144,7 +144,7 @@ and ``redirect()`` methods::
         return $this->redirect('http://symfony.com/doc');
     }
 
-.. caution::
+.. danger::
 
     The ``redirect()`` method does not check its destination in any way. If you
     redirect to a URL provided by end-users, your application may be open

diff --git a/deployment/proxies.rst b/deployment/proxies.rst
@@ -108,7 +108,7 @@ so you can also pass your own value (e.g. ``0b00110``).
             # ...
             trusted_proxies: '%env(TRUSTED_PROXIES)%'
 
-.. caution::
+.. danger::
 
     The "trusted proxies" feature does not work as expected when using the
     `nginx realip module`_. Disable that module when serving Symfony applications.

diff --git a/http_cache/cache_invalidation.rst b/http_cache/cache_invalidation.rst
@@ -152,7 +152,7 @@ Then, register the class as a service that :doc:`decorates </service_container/s
             ;
         };
 
-.. caution::
+.. danger::
 
     You must protect the ``PURGE`` HTTP method somehow to avoid random people
     purging your cached data.

diff --git a/http_cache/ssi.rst b/http_cache/ssi.rst
@@ -27,7 +27,7 @@ The SSI instructions are done via HTML comments:
 There are some other `available directives`_ but
 Symfony manages only the ``#include virtual`` one.
 
-.. caution::
+.. danger::
 
     Be careful with SSI, your website may fall victim to injections.
     Please read this `OWASP article`_ first!

diff --git a/profiler.rst b/profiler.rst
@@ -4,7 +4,7 @@ Profiler
 The profiler is a powerful **development tool** that gives detailed information
 about the execution of any request.
 
-.. caution::
+.. danger::
 
     **Never** enable the profiler in production environments
     as it will lead to major security vulnerabilities in your project.

diff --git a/rate_limiter.rst b/rate_limiter.rst
@@ -11,7 +11,7 @@ Symfony uses these rate limiters in built-in features like :ref:`login throttlin
 which limits how many failed login attempts a user can make in a given period of
 time, but you can use them for your own features too.
 
-.. caution::
+.. danger::
 
     By definition, the Symfony rate limiters require Symfony to be booted
     in a PHP process. This makes them not useful to protect against `DoS attacks`_.

diff --git a/reference/configuration/twig.rst b/reference/configuration/twig.rst
@@ -46,7 +46,7 @@ autoescape
 If set to ``false``, automatic escaping is disabled (you can still escape each content
 individually in the templates).
 
-.. caution::
+.. danger::
 
     Setting this option to ``false`` is dangerous and it will make your
     application vulnerable to `XSS attacks`_ because most third-party bundles

diff --git a/security.rst b/security.rst
@@ -845,7 +845,7 @@ The form can look like anything, but it usually follows some conventions:
     Actually, all of this can be configured under the ``form_login`` key. See
     :ref:`reference-security-firewall-form-login` for more details.
 
-.. caution::
+.. danger::
 
     This login form is currently not protected against CSRF attacks. Read
     :ref:`form_login-csrf` on how to protect your login form.

diff --git a/serializer.rst b/serializer.rst
@@ -82,7 +82,7 @@ custom normalizers and/or encoders can also be loaded by tagging them as
 :ref:`serializer.encoder <reference-dic-tags-serializer-encoder>`. It's also
 possible to set the priority of the tag in order to decide the matching order.
 
-.. caution::
+.. danger::
 
     Always make sure to load the ``DateTimeNormalizer`` when serializing the
     ``DateTime`` or ``DateTimeImmutable`` classes to avoid excessive memory

diff --git a/session.rst b/session.rst
@@ -1679,7 +1679,7 @@ Then, register the ``SodiumMarshaller`` service using this key:
                 ]);
         };
 
-.. caution::
+.. danger::
 
     This will encrypt the values of the cache items, but not the cache keys. Be
     careful not to leak sensitive data in the keys.