Ben Weidig created TAP5-2768: -------------------------------- Summary: DefaultRequestExceptionHandler shouldn't send Exception message in production Key: TAP5-2768 URL: https://issues.apache.org/jira/browse/TAP5-2768 Project: Tapestry 5 Issue Type: Improvement Components: tapestry-core Affects Versions: 5.8.3 Reporter: Ben Weidig
The {{DefaultRequestExceptionHandler}} shouldn't write the actual Exception message to the Request header {{X-Tapestry-ErrorMessage}} in production mode. Instead, a generic "An error occurred." should be used, as the message exposes app internals. The client-side code in {{ajax.coffee}} only uses the header detecting if an error occurred and logging it to {{console.error}}, so its actual value is irrelevant. Omitting the header completely would mean reworking {{ajax.coffee}}, as the header indicates that the response might contain HTML content for the exception frame. -- This message was sent by Atlassian Jira (v8.20.10#820010)