src/java.base/share/classes/java/io/ObjectInputFilter.java

rev 49438 : 8197595: Serialization javadoc should link to security best practices
Reviewed-by: lancea, sean, ahgross

*** 36,45 ****
--- 36,54 ----
  
  import jdk.internal.misc.SharedSecrets;
  
  /**
   * Filter classes, array lengths, and graph metrics during deserialization.
+  *
+  * <p><strong>Warning: Deserialization of untrusted data is inherently dangerous
+  * and should be avoided. Untrusted data should be carefully validated according to the
+  * "Serialization and Deserialization" section of the
+  * {@extLink secure_coding_guidelines_javase Secure Coding Guidelines for Java SE}.
+  * {@extLink serialization_filter_guide Serialization Filtering} describes best
+  * practices for defensive use of serial filters.
+  * </strong></p>
+  *
   * If set on an {@link ObjectInputStream}, the {@link #checkInput checkInput(FilterInfo)}
   * method is called to validate classes, the length of each array,
   * the number of objects being read from the stream, the depth of the graph,
   * and the total number of bytes read from the stream.
   * <p>