All,
When an application calls HttpServletResponse.sendError(int, String) the
Javadoc states that:
<quote>
The server defaults to creating the response to look like an
HTML-formatted server error page containing the specified message,
setting the content type to "text/html".
</quote>
My question is a simple one.
If the message contains user provided data (for example it might say
"ABCDEFG is not a valid UK postcode) who is responsible for ensuring
that the message is safe to use in the error response? Is it the caller
or is it the component that generates the error response?
It is my belief that it is the component generating the error response
that is responsible. The caller does not know what format will be used
for the error response (HTML, XML, JSON, something else) and, therefore,
has no way of determining what is the appropriate escaping / encoding /
safety mechanism of choice to use. Therefore, it has to be the
responsibility of the component generating the response.
Do the other EG members agree and, if so, can we get the spec updated to
make that explicit?
Cheers,
Mark