Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork7k
Removed input value from deault_error_message#5881
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Removed input value from deault_error_message#5881
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Its never a good idea to return the provided input in an error message, as it can easily result in an reflected XSS. Imagine someone provides sends a form with a field like "<script>something evil</script>", you return the value and the frontend may not sanitize it proper, as it trusts its own backend. :)
lovelydinosaur commentedMar 23, 2018
Looks like there are some tests that’d need updating too. I’d prefer the form “Must be a ...” for the wording. |
Signed-off-by: Sascha Pfeiffer <sascha.pfeiffer@psono.com>
chickahoona commentedMar 24, 2018 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Thanks for the ping. Should pass now. I didnt get the "Must be a ... for the wording" thing. |
Signed-off-by: Sascha Pfeiffer <sascha.pfeiffer@psono.com>
lovelydinosaur commentedMar 24, 2018
I meant we should use phrasing “Must be a valid boolean” instead of “Is not a valid boolean.” |
as per review from@tomchristie.
Its never a good idea to return the provided input in an error message, as it can easily result in an reflected XSS. Imagine someone sends a form with a field like "<script>something evil</script>", you return the value in the error message as it does not pass your serializer and the frontend may not sanitize it proper, as it trusts its own backend. :)