symfony · javiereguiluz · Dec 26, 2023 · Dec 17, 2023
diff --git a/components/http_foundation.rst b/components/http_foundation.rst
@@ -718,7 +718,7 @@ class, which can make this even easier::
 The ``JsonResponse`` class sets the ``Content-Type`` header to
 ``application/json`` and encodes your data to JSON when needed.
 
-.. caution::
+.. danger::
 
     To avoid XSSI `JSON Hijacking`_, you should pass an associative array
     as the outermost array to ``JsonResponse`` and not an indexed array so

diff --git a/components/lock.rst b/components/lock.rst
@@ -843,7 +843,7 @@ instance, to clean up the ``/tmp`` directory or after a reboot of the machine
 when a directory uses ``tmpfs``. It's not an issue if the lock is released when
 the process ended, but it is in case of ``Lock`` reused between requests.
 
-.. caution::
+.. danger::
 
     Do not store locks on a volatile file system if they have to be reused in
     several requests.
@@ -876,7 +876,7 @@ When the Memcached service is shared and used for multiple usage, Locks could be
 removed by mistake. For instance some implementation of the PSR-6 ``clear()``
 method uses the Memcached's ``flush()`` method which purges and removes everything.
 
-.. caution::
+.. danger::
 
     The method ``flush()`` must not be called, or locks should be stored in a
     dedicated Memcached service away from Cache.
@@ -984,7 +984,7 @@ be lost without notifying the running processes.
 When the Redis service is shared and used for multiple usages, locks could be
 removed by mistake.
 
-.. caution::
+.. danger::
 
     The command ``FLUSHDB`` must not be called, or locks should be stored in a
     dedicated Redis service away from Cache.

diff --git a/components/process.rst b/components/process.rst
@@ -251,7 +251,7 @@ are done doing other stuff::
     **synchronously** inside this event. Be aware that ``kernel.terminate``
     is called only if you use PHP-FPM.
 
-.. caution::
+.. danger::
 
     Beware also that if you do that, the said PHP-FPM process will not be
     available to serve any new request until the subprocess is finished. This

@@ -239,7 +239,7 @@ And parse them by using the ``PARSE_OBJECT`` flag::
 The YAML component uses PHP's ``serialize()`` method to generate a string
 representation of the object.
 
-.. caution::
+.. danger::
 
     Object serialization is specific to this implementation, other PHP YAML
     parsers will likely not recognize the ``php/object`` tag and non-PHP

diff --git a/configuration.rst b/configuration.rst
@@ -737,7 +737,7 @@ To do so, define a parameter with the same name as the env var using this syntax
     always exists, because its value will be ``null`` when the related env var
     is not defined.
 
-.. caution::
+.. danger::
 
     Beware that dumping the contents of the ``$_SERVER`` and ``$_ENV`` variables
     or outputting the ``phpinfo()`` contents will display the values of the

diff --git a/configuration/secrets.rst b/configuration/secrets.rst
@@ -50,7 +50,7 @@ running:
 This will generate ``config/secrets/prod/prod.encrypt.public.php`` and
 ``config/secrets/prod/prod.decrypt.private.php``.
 
-.. caution::
+.. danger::
 
     The ``prod.decrypt.private.php`` file is highly sensitive. Your team of developers
     and even Continuous Integration services don't need that key. If the

diff --git a/controller.rst b/controller.rst
@@ -146,7 +146,7 @@ and ``redirect()`` methods::
         return $this->redirect('http://symfony.com/doc');
     }
 
-.. caution::
+.. danger::
 
     The ``redirect()`` method does not check its destination in any way. If you
     redirect to a URL provided by end-users, your application may be open

diff --git a/deployment/proxies.rst b/deployment/proxies.rst
@@ -104,7 +104,7 @@ and what headers your reverse proxy uses to send information:
             # ...
             trusted_proxies: '%env(TRUSTED_PROXIES)%'
 
-.. caution::
+.. danger::
 
     Enabling the ``Request::HEADER_X_FORWARDED_HOST`` option exposes the
     application to `HTTP Host header attacks`_. Make sure the proxy really

diff --git a/http_cache/cache_invalidation.rst b/http_cache/cache_invalidation.rst
@@ -136,7 +136,7 @@ Then, register the class as a service that :doc:`decorates </service_container/s
             ;
         };
 
-.. caution::
+.. danger::
 
     You must protect the ``PURGE`` HTTP method somehow to avoid random people
     purging your cached data.

diff --git a/http_cache/ssi.rst b/http_cache/ssi.rst
@@ -27,7 +27,7 @@ The SSI instructions are done via HTML comments:
 There are some other `available directives`_ but
 Symfony manages only the ``#include virtual`` one.
 
-.. caution::
+.. danger::
 
     Be careful with SSI, your website may fall victim to injections.
     Please read this `OWASP article`_ first!

diff --git a/profiler.rst b/profiler.rst
@@ -4,7 +4,7 @@ Profiler
 The profiler is a powerful **development tool** that gives detailed information
 about the execution of any request.
 
-.. caution::
+.. danger::
 
     **Never** enable the profiler in production environments
     as it will lead to major security vulnerabilities in your project.

diff --git a/rate_limiter.rst b/rate_limiter.rst
@@ -15,7 +15,7 @@ Symfony uses these rate limiters in built-in features like :ref:`login throttlin
 which limits how many failed login attempts a user can make in a given period of
 time, but you can use them for your own features too.
 
-.. caution::
+.. danger::
 
     By definition, the Symfony rate limiters require Symfony to be booted
     in a PHP process. This makes them not useful to protect against `DoS attacks`_.

diff --git a/reference/configuration/twig.rst b/reference/configuration/twig.rst
@@ -41,7 +41,7 @@ autoescape
 If set to ``false``, automatic escaping is disabled (you can still escape each content
 individually in the templates).
 
-.. caution::
+.. danger::
 
     Setting this option to ``false`` is dangerous and it will make your
     application vulnerable to `XSS attacks`_ because most third-party bundles

diff --git a/security.rst b/security.rst
@@ -827,7 +827,7 @@ The form can look like anything, but it usually follows some conventions:
     Actually, all of this can be configured under the ``form_login`` key. See
     :ref:`reference-security-firewall-form-login` for more details.
 
-.. caution::
+.. danger::
 
     This login form is currently not protected against CSRF attacks. Read
     :ref:`form_login-csrf` on how to protect your login form.

diff --git a/serializer.rst b/serializer.rst
@@ -90,7 +90,7 @@ custom normalizers and/or encoders can also be loaded by tagging them as
 :ref:`serializer.encoder <reference-dic-tags-serializer-encoder>`. It's also
 possible to set the priority of the tag in order to decide the matching order.
 
-.. caution::
+.. danger::
 
     Always make sure to load the ``DateTimeNormalizer`` when serializing the
     ``DateTime`` or ``DateTimeImmutable`` classes to avoid excessive memory

diff --git a/session.rst b/session.rst
@@ -1573,7 +1573,7 @@ Then, register the ``SodiumMarshaller`` service using this key:
                 ]);
         };
 
-.. caution::
+.. danger::
 
     This will encrypt the values of the cache items, but not the cache keys. Be
     careful not to leak sensitive data in the keys.