On 07/02/17 22:34, Edward Burns wrote:
EB> I propose we resolve this by adding this statement to the text of
EB> HttpServletResponse.sendError(), after "text/html":
EB> The message is assumed to be in the character
EB> encoding of the current response.
>>>>> On Tue, 7 Feb 2017 23:37:40 +0000, Mark Thomas <markt_at_apache.org> said:
MT> That text does not address the primary concern of addressing who is
MT> responsible for ensuring that the message is safe to use as is.
MT> I'd suggest the following alternative text:
MT> The caller is responsible for ensuring that the provided message is safe
MT> (e.g. user provided data is appropriately escaped) to be included
MT> 'as-is' in the error response.
I hope you don't mind if I reword your text as
* The argument message will be included in the
* response without any escaping or re-encoding. The caller is
* responsible for ensuring this is safe with respect to the current
* response encoding.
Is that ok?
Thanks,
Ed
--
| edward.burns_at_oracle.com | office: +1 407 458 0017
| 19 business days until planned start of JSF 2.3 Final Approval Ballot
| 9 business days until DevNexus 2017
| 34 business days until JavaLand 2017