Hi all
while looking at user preferences I've noticed that it uses serialize/unserialize for storing the data in database. As this functions is quite famous in terms of security, I think we should avoid this.
Any reason for not using json encoding there instead? It encodes just the data and would not possibly call PHP code as unserialize could do because of objects with __wakeup() methods.