From 99e6f774ce804e6c5102398f1351236d78591e4c Mon Sep 17 00:00:00 2001
From: Bernd <ecki@apache.org>
Date: Wed, 23 Nov 2022 15:24:16 +0100
Subject: [PATCH] index.html: Add warning about expression risks

This should work as a caveat as discussed in #26
---
 src/site/xdoc/index.xml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/site/xdoc/index.xml b/src/site/xdoc/index.xml
index d417df170..56dcd6396 100644
--- a/src/site/xdoc/index.xml
+++ b/src/site/xdoc/index.xml
@@ -72,6 +72,18 @@ while (it.hasNext()){
             for those who work with mixtures of Java objects and XML and need to frequently
             traverse through graphs of those.
           </p>
+         <p>
+            <b>Warning:</b> XPath expressions can contain functions, which can trigger resource consumption
+            and also have direct access to Java classes and methods. When working with object input also
+            XPath navigation can cause methods being invoked on this input graphs. For this reason XPath
+            expressions MUST NOT be constructed from untrusted input or allow untrusted users
+            to influence them. This can lead to all kind of security critical behavior including remote
+            code execution RCE. Also mind injection attacks if you plan string concatenation for XPath
+            expressions. A (meanwhile rejected) vulnerability entry (<em>CVE-2022-41852</em>) exists for
+            this topic. It was rejected because the behavior is by design - XPath is intended as a powerful
+            scripting and expression language. However, improvements (like function allow lists) are planned
+            for future releases.
+         </p>
           <p>
             JXPath documentation currently contains:
             <ul>