encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2025-08-02 19:40:13 +03:00
Code Issues Packages Projects Releases Wiki Activity

Removed input value from deault_error_message

Browse Source 
Its never a good idea to return the provided input in an error message, as it can easily result in an reflected XSS. Imagine someone provides sends a form with a field like "<script>something evil</script>", you return the value and the frontend may not sanitize it proper, as it trusts its own backend. :)
This commit is contained in:
Sascha P 2018-03-15 12:25:45 +01:00 committed by GitHub
parent 0da461710a
commit e61c937313
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
rest_framework/fields.py
View File

@ -642,7 +642,7 @@ class Field(object):
class BooleanField(Field):
default_error_messages = {
'invalid': _('"{input}" is not a valid boolean.')
'invalid': _('Is not a valid boolean.')
}
default_empty_html = False
initial = False
@ -687,7 +687,7 @@ class BooleanField(Field):
class NullBooleanField(Field):
default_error_messages = {
'invalid': _('"{input}" is not a valid boolean.')
'invalid': _('Is not a valid boolean.')
}
initial = None
TRUE_VALUES = {
@ -841,7 +841,7 @@ class UUIDField(Field):
valid_formats = ('hex_verbose', 'hex', 'int', 'urn')
default_error_messages = {
'invalid': _('"{value}" is not a valid UUID.'),
'invalid': _('Is not a valid UUID.'),
}
def __init__(self, **kwargs):