Skip to content

Stop sending error message in bean validation response #625

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mikewalch merged 1 commit into from
Sep 4, 2018
Merged

Stop sending error message in bean validation response #625

mikewalch merged 1 commit into from
Sep 4, 2018

Conversation

@mikewalch
Copy link
Member

@mikewalch mikewalch commented Aug 31, 2018

No description provided.

@milleruntime
Copy link
Contributor

milleruntime commented Aug 31, 2018

What does this fix?

@ctubbsii
Copy link
Member

ctubbsii commented Aug 31, 2018

Can you provide a description regarding why this is desired? I don't understand the benefit of hiding these error messages from the user, especially the way we use the bean validator.

@mikewalch
Copy link
Member Author

mikewalch commented Aug 31, 2018

The error messages are not being sanitized by the underlying framework so they could be used for XSS.

@ctubbsii
Copy link
Member

ctubbsii commented Aug 31, 2018

Do they include user input, or just our own messages? I thought just the latter, so XSS wouldn't be an issue. It's fine to drop them, though... I think users should never see those error messages anyway, if they are using the web service with links from our own monitor app, because we'll never provide a link which generates such an error message (we shouldn't anyway).

@milleruntime
Copy link
Contributor

milleruntime commented Aug 31, 2018

I tested it out running uno locally and this will work in firefox:
http://localhost:9995/tservers?s=%3Cscript%3Ewindow.alert(%27Got%20ya!%27)%3C/script%3E

@mikewalch mikewalch merged commit f7d0518 into apache:master Sep 4, 2018
@mikewalch mikewalch deleted the bean-validation branch September 4, 2018 15:08
@ctubbsii ctubbsii added this to the 2.0.0 milestone Jul 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ctubbsii ctubbsii ctubbsii approved these changes

@milleruntime milleruntime milleruntime approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@mikewalch @milleruntime @ctubbsii