On 08/02/17 22:58, Edward Burns wrote:
>
> On 07/02/17 22:34, Edward Burns wrote:
>
> EB> I propose we resolve this by adding this statement to the text of
> EB> HttpServletResponse.sendError(), after "text/html":
>
> EB> The message is assumed to be in the character
> EB> encoding of the current response.
>
>>>>>> On Tue, 7 Feb 2017 23:37:40 +0000, Mark Thomas <markt_at_apache.org> said:
>
> MT> That text does not address the primary concern of addressing who is
> MT> responsible for ensuring that the message is safe to use as is.
>
> MT> I'd suggest the following alternative text:
>
> MT> The caller is responsible for ensuring that the provided message is safe
> MT> (e.g. user provided data is appropriately escaped) to be included
> MT> 'as-is' in the error response.
>
> I hope you don't mind if I reword your text as
>
> * The argument message will be included in the
> * response without any escaping or re-encoding. The caller is
> * responsible for ensuring this is safe with respect to the current
> * response encoding.
>
> Is that ok?
Clearer than mine. Thanks. I think it needs " and content type" inserted
at the end.
Mark