>>>>> On Fri, 23 May 2014 16:27:45 -0700, Shing Wai Chan <shing.wai.chan_at_oracle.com> said:
MT> All,
MT>
MT> When an application calls HttpServletResponse.sendError(int, String) the
MT> Javadoc states that:
MT>
MT> <quote>
MT> The server defaults to creating the response to look like an
MT> HTML-formatted server error page containing the specified message,
MT> setting the content type to "text/html".
MT> </quote>
MT>
MT> My question is a simple one.
MT>
MT> If the message contains user provided data (for example it might say
MT> "ABCDEFG is not a valid UK postcode) who is responsible for ensuring
MT> that the message is safe to use in the error response? Is it the caller
MT> or is it the component that generates the error response?
MT>
MT> It is my belief that it is the component generating the error response
MT> that is responsible. The caller does not know what format will be used
MT> for the error response (HTML, XML, JSON, something else) and, therefore,
MT> has no way of determining what is the appropriate escaping / encoding /
MT> safety mechanism of choice to use. Therefore, it has to be the
MT> responsibility of the component generating the response.
MT>
MT> Do the other EG members agree and, if so, can we get the spec updated to
MT> make that explicit?
SW> +1
I have filed <
https://java.net/jira/browse/SERVLET_SPEC-88> for this.
Ed
--
| edward.burns_at_oracle.com | office: +1 407 458 0017