Removed input value from deault_error_message by chickahoona · Pull Request #5881 · encode/django-rest-framework (original) (raw)
Its never a good idea to return the provided input in an error message, as it can easily result in an reflected XSS. Imagine someone sends a form with a field like "", you return the value in the error message as it does not pass your serializer and the frontend may not sanitize it proper, as it trusts its own backend. :)
Its never a good idea to return the provided input in an error message, as it can easily result in an reflected XSS. Imagine someone provides sends a form with a field like "", you return the value and the frontend may not sanitize it proper, as it trusts its own backend. :)
Looks like there are some tests that’d need updating too. I’d prefer the form “Must be a ...” for the wording.
Signed-off-by: Sascha Pfeiffer sascha.pfeiffer@psono.com
Thanks for the ping. Should pass now. I didnt get the "Must be a ... for the wording" thing.
Signed-off-by: Sascha Pfeiffer sascha.pfeiffer@psono.com
I meant we should use phrasing “Must be a valid boolean” instead of “Is not a valid boolean.”
shanemcd pushed a commit to shanemcd/awx that referenced this pull request
pchiquet pushed a commit to pchiquet/django-rest-framework that referenced this pull request