From 54cadfd6787c73d8c39dcfd6610619a51c6884e1 Mon Sep 17 00:00:00 2001
From: Marcin Polak <marcin@coder.pm>
Date: Fri, 11 Mar 2016 13:11:30 +0100
Subject: [PATCH] Update zend.form.quick-start.rst

Missing documentation about "preferFormInputFilter" flag. Discussed with Matthew Weier O'Phinney on zf-security@zend.com - 08.03.2014 and still missing
---
 docs/src/modules/zend.form.quick-start.rst | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/src/modules/zend.form.quick-start.rst b/docs/src/modules/zend.form.quick-start.rst
index 971464193..6d7331667 100644
--- a/docs/src/modules/zend.form.quick-start.rst
+++ b/docs/src/modules/zend.form.quick-start.rst
@@ -571,6 +571,8 @@ additional user configuration!
     Some form elements may need a particular input filter, like ``Zend\Form\Element\File``: in this case it's mandatory to specify
     the ``type`` key in your custom specification to match the original one (in ex. for the file element it's ``Zend\InputFilter\FileInput``).
 
+    Remember that by default ``getInputFilterSpecification()`` is prefered over element and fieldset defaults. It may lead to serious security vulnerabilities like missing ``Zend\Validator\InArray`` validator for select elements. You can change this behavior by calling ``setPreferFormInputFilter(false)`` on corresponding form.
+
 .. _zend.form.quick-start.binding:
 
 Binding an object