Skip to content

Guard against invalid id/event values in Server Sent Events #36440

New issue
New issue
Closed
Closed
Guard against invalid id/event values in Server Sent Events#36440
Assignees
bclozel
Labels
in: webIssues in web modules (web, webmvc, webflux, websocket)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug
Milestone
7.0.6
@bclozel

Description

@bclozel
bclozel
opened on Mar 10, 2026

Our implementation of Server Sent Events (SSE), currently SseEmitter (MVC) and ServerSentEvent (WebFlux), do not guard against invalid characters if the application mistakenly inserts such characters in the id or event event types. Both implementations also behave differently when it comes to escaping comment multi-line events.

This issue should address the following:

  • align behavior for comment events
  • reject invalid characters for the id and eventcases
  • optimize String concatenation and memory usage where possible

Metadata

Metadata

Assignees

Labels

in: webIssues in web modules (web, webmvc, webflux, websocket)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions