[
https://issues.apache.org/jira/browse/TAP5-2768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17784309#comment-17784309
]
ASF subversion and git services commented on TAP5-2768:
-------------------------------------------------------
Commit 2c61207ce41150b16cb4dd4ca96efd06c60cf1e9 in tapestry-5's branch
refs/heads/master from Ben Weidig
[ https://gitbox.apache.org/repos/asf?p=tapestry-5.git;h=2c61207ce ]
TAP5-2768: DefaultRequestExceptionHandler doesn't leak error msg if prod
> DefaultRequestExceptionHandler shouldn't send Exception message in production
> -----------------------------------------------------------------------------
>
> Key: TAP5-2768
> URL: https://issues.apache.org/jira/browse/TAP5-2768
> Project: Tapestry 5
> Issue Type: Improvement
> Components: tapestry-core
> Affects Versions: 5.8.3
> Reporter: Ben Weidig
> Assignee: Ben Weidig
> Priority: Minor
>
> The {{DefaultRequestExceptionHandler}} shouldn't write the actual Exception
> message to the Request header {{X-Tapestry-ErrorMessage}} in production mode.
> Instead, a generic "An error occurred." should be used, as the message
> exposes app internals.
> The client-side code in {{ajax.coffee}} only uses the header detecting if an
> error occurred and logging it to {{console.error}}, so its actual value is
> irrelevant.
> Omitting the header completely would mean reworking {{ajax.coffee}}, as the
> header indicates that the response might contain HTML content for the
> exception frame.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
