Skip to content

Removed input value from deault_error_message #5881

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 20, 2018
Merged

Removed input value from deault_error_message #5881

merged 4 commits into from
Apr 20, 2018

Conversation

chickahoona
Copy link
Contributor

Its never a good idea to return the provided input in an error message, as it can easily result in an reflected XSS. Imagine someone sends a form with a field like "<script>something evil</script>", you return the value in the error message as it does not pass your serializer and the frontend may not sanitize it proper, as it trusts its own backend. :)

@chickahoona
Removed input value from deault_error_message
e61c937 
Its never a good idea to return the provided input in an error message, as it can easily result in an reflected XSS. Imagine someone provides sends a form with a field like "<script>something evil</script>", you return the value and the frontend may not sanitize it proper, as it trusts its own backend. :)
@tomchristie
Copy link
Member

Looks like there are some tests that’d need updating too. I’d prefer the form “Must be a ...” for the wording.

Fixing unittests
263c064 
Signed-off-by: Sascha Pfeiffer <[email protected]>
@chickahoona
Copy link
Contributor Author

chickahoona commented Mar 24, 2018
edited
Loading

Thanks for the ping. Should pass now. I didnt get the "Must be a ... for the wording" thing.

another try :/
f28708d 
Signed-off-by: Sascha Pfeiffer <[email protected]>
@tomchristie
Copy link
Member

I meant we should use phrasing “Must be a valid boolean” instead of “Is not a valid boolean.”

@carltongibson carltongibson added this to the 3.8.3 Release milestone Apr 20, 2018
@carltongibson carltongibson merged commit 7d64b70 into encode:master Apr 20, 2018
@chickahoona chickahoona deleted the remove-input-value-from-error-message branch April 20, 2018 15:40
@rpkilby rpkilby modified the milestones: 3.8.3 Release, 3.9 Release Aug 29, 2018
@sloria sloria mentioned this pull request Oct 31, 2018
Closed
@jbradberry jbradberry mentioned this pull request Jun 7, 2019
Merged
shanemcd pushed a commit to shanemcd/awx that referenced this pull request Jun 18, 2019
@jbradberry @shanemcd
Handle a change in the error message for BooleanField
95603bb 
related encode/django-rest-framework#5881
@Checkroth Checkroth mentioned this pull request Dec 11, 2019
Closed
6 tasks
pchiquet pushed a commit to pchiquet/django-rest-framework that referenced this pull request Nov 17, 2020
@chickahoona
Removed input value from deault_error_message (encode#5881)
eeab17b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.9.0 Release
Development

Successfully merging this pull request may close these issues.
4 participants
@chickahoona @tomchristie @carltongibson @rpkilby