Security Flaw With acts_as_xapian

I've found a secuirty issue with the proxy implementation of
find_with_xapian in the acts_as_xapian plugin. I've documented it over
at the acts_as_xapian Google Group (
acts_as_xapian/browse_thread/thread/8bc8da3275985383) but since that
group is pretty low traffic I thought it would be a good idea to let
people know about it here too just in case they're using aax but don't
know about it yet.