diff --git a/_posts/10-04-01-Data-Filtering.md b/_posts/10-04-01-Data-Filtering.md
index dcba882..a1b3e17 100644
--- a/_posts/10-04-01-Data-Filtering.md
+++ b/_posts/10-04-01-Data-Filtering.md
@@ -48,6 +48,12 @@ libraries like [HTML Purifier][html-purifier] exists for this reason.
 
 [See Sanitization Filters][2]
 
+### Unserialization
+
+It is dangerous to `unserialize()` data from users or other untrusted sources.  Doing so can allow malicious users to instantiate objects (with user-defined properties) whose destructors will be executed, **even if the objects themselves aren't used**.  You should therefore avoid unserializing untrusted data.
+
+If you absolutely must unserialize data from untrusted sources, use PHP 7's [`allowed_classes`][unserialize] option to restrict which object types are allowed to be unserialized.
+
 ### Validation
 
 Validation ensures that foreign input is what you expect. For example, you may want to validate an email address, a
@@ -63,3 +69,4 @@ phone number, or age when processing a registration submission.
 [5]: http://php.net/function.filter-input
 [6]: http://php.net/security.filesystem.nullbytes
 [html-purifier]: http://htmlpurifier.org/
+[unserialize]: https://secure.php.net/manual/en/function.unserialize.php