Merge branch '8.0' into 8.1

* 8.0:
  Add notes about unsafe `PARSE_*` flags for yaml

Author: javiereguiluz

components/yaml.rst

@@ -241,6 +241,11 @@ representation of the object.
     parsers will likely not recognize the ``php/object`` tag and non-PHP
     implementations certainly won't - use with discretion!
 
+.. danger::
+
+    Parsing ``!php/object`` tags uses PHP deserialization internally. Never
+    enable ``PARSE_OBJECT`` for untrusted YAML contents.
+
 Parsing and Dumping Objects as Maps
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -326,6 +331,11 @@ syntax to parse them as proper PHP constants::
     $parameters = Yaml::parse($yaml, Yaml::PARSE_CONSTANT);
     // $parameters = ['foo' => 'PHP_INT_SIZE', 'bar' => 8];
 
+.. warning::
+
+    Enabling ``PARSE_CONSTANT`` allows YAML contents to resolve arbitrary PHP
+    constants and enum cases. Only enable it for trusted input.
+
 Parsing PHP Enumerations
 ~~~~~~~~~~~~~~~~~~~~~~~~