Using text/plain for error responses
This prevents XSS attacks injecting scripts to error messages. Currently
http error constructor sets content-type to text/html for errors with
the code 500.
Change-Id: I21b5855ebe102060f4046706b5c6ab2e3e532162
Closes-Bug: #1583602
(cherry picked from commit 25fca4bb84
)
This commit is contained in:
parent
37631934fa
commit
fe8a4b307d
@ -301,6 +301,7 @@ def content_json(func, cls, *args, **kwargs):
|
||||
)
|
||||
)
|
||||
http_error.data = json_resp(http_error.data)
|
||||
web.header('Content-Type', 'text/plain')
|
||||
raise http_error
|
||||
|
||||
if all([
|
||||
|
Loading…
Reference in New Issue
Block a user