Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add xss protection to validation response #2370

merged 1 commit into from Feb 9, 2015


Copy link

@shinyaohira shinyaohira commented Jan 26, 2015

Validation field should also be escaped.

{"statusCode":400,"error":"Bad Request","message":"&lt;script&gt;&lt;&#x2f;script&gt; is not allowed","validation":{"source":"query","keys":["<script></script>"]}}
Copy link

@kanongil kanongil commented Jan 30, 2015

Why should it be escaped? I would think that it is the receivers responsibility not to expose validation keys without escaping.

Copy link

@shinyaohira shinyaohira commented Jan 31, 2015

Because attackers don't escape it intentionally. It was fixed by #697, but I think it is incomplete.

@hueniverse hueniverse self-assigned this Feb 9, 2015
hueniverse pushed a commit that referenced this issue Feb 9, 2015
Add xss protection to validation response
@hueniverse hueniverse merged commit 5ccfd61 into hapijs:master Feb 9, 2015
1 check passed
@hueniverse hueniverse added this to the 8.2.0 milestone Feb 9, 2015
Copy link

@lock lock bot commented Jan 9, 2020

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.

@lock lock bot locked as resolved and limited conversation to collaborators Jan 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants