--- a/MoinMoin/config/multiconfig.py	Thu Jan 19 16:21:14 2012 +0100
+++ b/MoinMoin/config/multiconfig.py	Tue Jan 24 17:04:29 2012 +0100
@@ -787,7 +787,7 @@
      "Exclude unwanted actions (list of strings)"),
 
     ('allow_xslt', False,
-     "if True, enables XSLT processing via 4Suite (note that this enables anyone with enough know-how to insert '''arbitrary HTML''' into your wiki, which is why it defaults to `False`)"),
+        "if True, enables XSLT processing via 4Suite (Note that this is DANGEROUS. It enables anyone who can edit the wiki to get '''read/write access to your filesystem as the moin process uid/gid''' and to insert '''arbitrary HTML''' into your wiki pages, which is why this setting defaults to `False` (XSLT disabled). Do not set it to other values, except if you know what you do and if you have very trusted editors only)."),
 
     ('password_checker', DefaultExpression('_default_password_checker'),
      'checks whether a password is acceptable (default check is length >= 6, at least 4 different chars, no keyboard sequence, not username used somehow (you can switch this off by using `None`)'),

--- a/docs/CHANGES	Thu Jan 19 16:21:14 2012 +0100
+++ b/docs/CHANGES	Tue Jan 24 17:04:29 2012 +0100
@@ -18,6 +18,10 @@
 
 Version 1.9.4:
 
+  SECURITY HINT: make sure you have allow_xslt = False (or just do not use
+  allow_xslt at all in your wiki configs, False is the internal default).
+  Allowing XSLT/4suite is very dangerous, see HelpOnConfiguration wiki page.
+
   HINT: Python >= 2.5 is maybe required!
   To use all the code that is bundled in the MoinMoin download release,
   you are required to have Python >= 2.5 now. This is primarily due to