On 5/22/14, 2:50 PM, Mark Thomas wrote:
> All,
>
> When an application calls HttpServletResponse.sendError(int, String) the
> Javadoc states that:
>
> <quote>
> The server defaults to creating the response to look like an
> HTML-formatted server error page containing the specified message,
> setting the content type to "text/html".
> </quote>
>
> My question is a simple one.
>
> If the message contains user provided data (for example it might say
> "ABCDEFG is not a valid UK postcode) who is responsible for ensuring
> that the message is safe to use in the error response? Is it the caller
> or is it the component that generates the error response?
>
> It is my belief that it is the component generating the error response
> that is responsible. The caller does not know what format will be used
> for the error response (HTML, XML, JSON, something else) and, therefore,
> has no way of determining what is the appropriate escaping / encoding /
> safety mechanism of choice to use. Therefore, it has to be the
> responsibility of the component generating the response.
>
> Do the other EG members agree and, if so, can we get the spec updated to
> make that explicit?
+1
Shing Wai Chan
>
> Cheers,
>
> Mark