Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add xss protection to validation response #2370

merged 1 commit into from
Feb 9, 2015


Copy link

Validation field should also be escaped.

{"statusCode":400,"error":"Bad Request","message":"&lt;script&gt;&lt;&#x2f;script&gt; is not allowed","validation":{"source":"query","keys":["<script></script>"]}}

Copy link

Why should it be escaped? I would think that it is the receivers responsibility not to expose validation keys without escaping.

Copy link

Because attackers don't escape it intentionally. It was fixed by #697, but I think it is incomplete.

@hueniverse hueniverse added bug Bug or defect security Issue with security impact labels Feb 9, 2015
@hueniverse hueniverse self-assigned this Feb 9, 2015
hueniverse pushed a commit that referenced this pull request Feb 9, 2015
Add xss protection to validation response
@hueniverse hueniverse merged commit 5ccfd61 into hapijs:master Feb 9, 2015
@hueniverse hueniverse added this to the 8.2.0 milestone Feb 9, 2015
Copy link

lock bot commented Jan 9, 2020

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.

@lock lock bot locked as resolved and limited conversation to collaborators Jan 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
bug Bug or defect security Issue with security impact
None yet

Successfully merging this pull request may close these issues.

None yet

4 participants