Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add xss protection to validation response #2370

Merged
merged 1 commit into from
Feb 9, 2015

Conversation

shinyaohira
Copy link

Validation field should also be escaped.

{"statusCode":400,"error":"Bad Request","message":"&lt;script&gt;&lt;&#x2f;script&gt; is not allowed","validation":{"source":"query","keys":["<script></script>"]}}

@kanongil
Copy link
Contributor

Why should it be escaped? I would think that it is the receivers responsibility not to expose validation keys without escaping.

@shinyaohira
Copy link
Author

Because attackers don't escape it intentionally. It was fixed by #697, but I think it is incomplete.

@hueniverse hueniverse added bug Bug or defect security Issue with security impact labels Feb 9, 2015
@hueniverse hueniverse self-assigned this Feb 9, 2015
hueniverse pushed a commit that referenced this pull request Feb 9, 2015
Add xss protection to validation response
@hueniverse hueniverse merged commit 5ccfd61 into hapijs:master Feb 9, 2015
@hueniverse hueniverse added this to the 8.2.0 milestone Feb 9, 2015
@lock
Copy link

lock bot commented Jan 9, 2020

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.

@lock lock bot locked as resolved and limited conversation to collaborators Jan 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Bug or defect security Issue with security impact
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants