From b164cbb8305edbebf72fb3d26163005fff5f1108 Mon Sep 17 00:00:00 2001
From: Florian Anderiasch <fa@php.net>
Date: Sun, 10 May 2009 21:21:10 +0000
Subject: [PATCH] clarification: warning according to bug #48180

git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@280311 c90b9560-bf6c-de11-be94-00142212c4b1
---
 reference/mbstring/functions/mb-ereg-replace.xml  | 7 ++++++-
 reference/mbstring/functions/mb-eregi-replace.xml | 7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/reference/mbstring/functions/mb-ereg-replace.xml b/reference/mbstring/functions/mb-ereg-replace.xml
index 7abf5f418d..b693a9f236 100644
--- a/reference/mbstring/functions/mb-ereg-replace.xml
+++ b/reference/mbstring/functions/mb-ereg-replace.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<!-- $Revision: 1.9 $ -->
+<!-- $Revision: 1.10 $ -->
 <refentry xml:id="function.mb-ereg-replace" xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink">
  <refnamediv>
   <refname>mb_ereg_replace</refname>
@@ -85,6 +85,11 @@
   &reftitle.notes;
   
   &note.mbstring.encoding.internal;
+  <warning>
+   <para>
+   Warning: Never use the <literal>e</literal> modifier when working on untrusted input. No automatic escaping will happen (as known from preg_replace). Not taking care of this will most likely create remote code execution vulnerabilities in your application.
+   </para>
+  </warning>
  </refsect1>
 
  <refsect1 role="seealso">
diff --git a/reference/mbstring/functions/mb-eregi-replace.xml b/reference/mbstring/functions/mb-eregi-replace.xml
index 8615e723e8..8b1afe5dbf 100644
--- a/reference/mbstring/functions/mb-eregi-replace.xml
+++ b/reference/mbstring/functions/mb-eregi-replace.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<!-- $Revision: 1.9 $ -->
+<!-- $Revision: 1.10 $ -->
 <refentry xml:id="function.mb-eregi-replace" xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink">
  <refnamediv>
   <refname>mb_eregi_replace</refname>
@@ -74,6 +74,11 @@
   &reftitle.notes;
   
   &note.mbstring.encoding.internal;
+  <warning>
+   <para>
+   Warning: Never use the <literal>e</literal> modifier when working on untrusted input. No automatic escaping will happen (as known from preg_replace). Not taking care of this will most likely create remote code execution vulnerabilities in your application.
+   </para>
+  </warning>
  </refsect1>
 
  <refsect1 role="seealso">