Add an additional banner warning users about accepting untrusted schemas.

Julian · Julian · commit 2bb4ee7cb8cb · 2026-01-17T09:21:49.000-05:00
diff --git a/docs/spelling-wordlist.txt b/docs/spelling-wordlist.txt
@@ -37,6 +37,7 @@ recurses
 regex
 repr
 runtime
+sandboxing
 sensical
 subclassing
 submodule
diff --git a/docs/validate.rst b/docs/validate.rst
@@ -11,16 +11,19 @@ Schema Validation
 
    If you aren't already comfortable with writing schemas and need an introduction which teaches about JSON Schema the specification, you may find :ujs:`Understanding JSON Schema </>` to be a good read!
 
-
 The Basics
 ----------
 
-The simplest way to validate an instance under a given schema is to use the
-`validate <jsonschema.validators.validate>` function.
+The simplest way to validate an instance under a given schema is to use the `validate <jsonschema.validators.validate>` function.
 
 .. autofunction:: validate
     :noindex:
 
+.. warning::
+
+   Accepting untrusted schemas as input, especially when combined with untrusted data to validate, can lead to vulnerabilities even when restricting to official JSON Schema dialects and vocabularies.
+   Never validate data against schemas from untrusted sources without proper sandboxing or input validation.
+
 .. _validator-protocol:
 
 The Validator Protocol
