diff --git a/language/oop5/autoload.xml b/language/oop5/autoload.xml
index 85cb389b5f..e2496defd0 100644
--- a/language/oop5/autoload.xml
+++ b/language/oop5/autoload.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.8 $ -->
+<!-- $Revision: 1.9 $ -->
  <sect1 xml:id="language.oop5.autoload" xmlns="http://docbook.org/ns/docbook">
   <title>Autoloading Objects</title>
   <para>
@@ -28,6 +28,14 @@
     <link linkend="features.commandline">interactive mode</link>.
    </para>
   </note>
+  <note>
+   <para>
+    If the class name is used e.g. in <function>call_user_func</function> then
+    it can contain some dangerous characters such as <literal>../</literal>.
+    It is recommended to not use the user-input in such functions or at least
+    verify the input in <function>__autoload</function>.
+   </para>
+  </note>
   <para>
    <example>
     <title>Autoload example</title>