Possible reflective cross site scripting in the io.dropwizard.validation.ConstraintViolations #953
Comments
See also #892. |
The issue I reported could be rectified if the Is it something that could be considered? I don't see a point in printing out the value that was sent in the request payload. |
Funny, I was just about to prepare a patch that used that very function to log invalid messages on the server side. On the client, it probably is not as necessary, since the client might know what it just sent. |
Please have a look at the pull request #1001 |
joschi
added a commit
that referenced
this issue
Apr 25, 2015
Possible reflective cross site scripting in ConstraintViolation Fixes #953
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We have come across a problem in when doing JSR-303 validation, due to dropwizard
ConstraintViolations
adding the InvalidValue back in the message.The following request payload,
will result in the following error
We don't want the "was" part.
Based on the investigation we found that it is being appended in the
ConstraintViolations.format()
method.Is there any way that we can avoid the
invalidValue
from being attached to the message?If not can we have a feature switch for that?
The text was updated successfully, but these errors were encountered: