[
https://issues.apache.org/jira/browse/TAP5-2768?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ben Weidig resolved TAP5-2768.
------------------------------
Fix Version/s: 5.8.4
Resolution: Fixed
> DefaultRequestExceptionHandler shouldn't send Exception message in production
> -----------------------------------------------------------------------------
>
> Key: TAP5-2768
> URL: https://issues.apache.org/jira/browse/TAP5-2768
> Project: Tapestry 5
> Issue Type: Improvement
> Components: tapestry-core
> Affects Versions: 5.8.3
> Reporter: Ben Weidig
> Assignee: Ben Weidig
> Priority: Minor
> Fix For: 5.8.4
>
>
> The {{DefaultRequestExceptionHandler}} shouldn't write the actual Exception
> message to the Request header {{X-Tapestry-ErrorMessage}} in production mode.
> Instead, a generic "An error occurred." should be used, as the message
> exposes app internals.
> The client-side code in {{ajax.coffee}} only uses the header detecting if an
> error occurred and logging it to {{console.error}}, so its actual value is
> irrelevant.
> Omitting the header completely would mean reworking {{ajax.coffee}}, as the
> header indicates that the response might contain HTML content for the
> exception frame.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
