Using text/plain for error responses

This prevents XSS attacks injecting scripts to error messages. Currently http error constructor sets content-type to text/html for errors with the code 500. Change-Id: I21b5855ebe102060f4046706b5c6ab2e3e532162 Closes-Bug: #1583602 (cherry picked from commit 25fca4bb84)
2016-05-20 16:31:20 +03:00 · 2016-05-20 16:31:20 +03:00 · fe8a4b307d
commit fe8a4b307d
parent 37631934fa
1 changed files with 1 additions and 0 deletions
--- a/nailgun/nailgun/api/v1/handlers/base.py
+++ b/nailgun/nailgun/api/v1/handlers/base.py
@ -301,6 +301,7 @@ def content_json(func, cls, *args, **kwargs):
            )
        )
        http_error.data = json_resp(http_error.data)
+        web.header('Content-Type', 'text/plain')
        raise http_error

    if all([