On 07/02/17 22:34, Edward Burns wrote:
> Hello Volunteers,
>
> I propose we resolve this by adding this statement to the text of
> HttpServletResponse.sendError(), after "text/html":
>
> The message is assumed to be in the character
> encoding of the current response.
>
> ACTION: Please let me know your opinions on this by close of business
> GMT-0800 Thursday 9 February 2017.
Ed,
That text does not address the primary concern of addressing who is
responsible for ensuring that the message is safe to use as is.
I'd suggest the following alternative text:
The caller is responsible for ensuring that the provided message is safe
(e.g. user provided data is appropriately escaped) to be included
'as-is' in the error response.
Mark