michael-o commented on pull request #9: URL: https://github.com/apache/velocity-tools/pull/9#issuecomment-716550276
> > > This is a shared library so I can see @mkienenb point on compatibility. They may be relying on that exception as it was documented or expected to be thrown from that API. This is going to create a security issue for any Velocity Tools users even if we aren't using view / mvc packages but are using Velocity Tools. If it is just an encoding issue in the error message - and that fixes the problem, why not just do that? I have checked the API. `error()` implements what `HttpServletResponse#sendError()` defines. Server API requires `#sendError()` to generate an HTML page with an error description. Throwing out/reducing `error()` would still comply with the contract for two reasons: 1. If we can properly determine the cause we can populate `#sendError()` 2. If we cannot we throw an exception and the servlet container *must* catch and invoke the HTML page handler In both cases, an HTML page is emitted. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
