src/java.base/share/classes/java/io/Serializable.java

rev 49438 : 8197595: Serialization javadoc should link to security best practices
Reviewed-by: lancea, sean, ahgross

*** 25,35 ****
  
  package java.io;
  
  /**
   * Serializability of a class is enabled by the class implementing the
!  * java.io.Serializable interface. Classes that do not implement this
   * interface will not have any of their state serialized or
   * deserialized.  All subtypes of a serializable class are themselves
   * serializable.  The serialization interface has no methods or fields
   * and serves only to identify the semantics of being serializable. <p>
   *
--- 25,45 ----
  
  package java.io;
  
  /**
   * Serializability of a class is enabled by the class implementing the
!  * java.io.Serializable interface.
!  *
!  * <p><strong>Warning: Deserialization of untrusted data is inherently dangerous
!  * and should be avoided. Untrusted data should be carefully validated according to the
!  * "Serialization and Deserialization" section of the
!  * {@extLink secure_coding_guidelines_javase Secure Coding Guidelines for Java SE}.
!  * {@extLink serialization_filter_guide Serialization Filtering} describes best
!  * practices for defensive use of serial filters.
!  * </strong></p>
!  *
!  * Classes that do not implement this
   * interface will not have any of their state serialized or
   * deserialized.  All subtypes of a serializable class are themselves
   * serializable.  The serialization interface has no methods or fields
   * and serves only to identify the semantics of being serializable. <p>
   *