diff --git a/extension/Documentation/Manual.rst b/extension/Documentation/Manual.rst
index 79970869eb70efe8bd43c9fa9bd98a9b642c25f0..4e6b5c2844fa077dfa8570ddd813978d4527efb0 100644
--- a/extension/Documentation/Manual.rst
+++ b/extension/Documentation/Manual.rst
@@ -3914,11 +3914,11 @@ QFQ content record::
     head = <form action='#' method='get'><input type='hidden' name='id' value='{{pageId:T}}'>Search: <input type='text' name='search' value='{{search:CE:all}}'><input type='submit' value='Submit'></form>
   }
 
-  # SQL statement will find and list all the relevant forms
+  # SQL statement will find and list all the relevant forms - be careful not to open a cross site scripting door: the parameter 'search' needs to be sanatized.
   20 {
     sql = SELECT CONCAT('?detail&form=form&r=', f.id) AS _Pagee, f.id, f.name, f.title
               FROM Form AS f
-              WHERE f.name LIKE  '%{{search:CE:all}}%'
+              WHERE f.name LIKE  '%{{search:CE:alnumx}}%'
     head = <table class='table'>
     tail = </table>
     rbeg = <tr>