Ben Weidig created TAP5-2768:
--------------------------------
Summary: DefaultRequestExceptionHandler shouldn't send Exception
message in production
Key: TAP5-2768
URL: https://issues.apache.org/jira/browse/TAP5-2768
Project: Tapestry 5
Issue Type: Improvement
Components: tapestry-core
Affects Versions: 5.8.3
Reporter: Ben Weidig
The {{DefaultRequestExceptionHandler}} shouldn't write the actual Exception
message to the Request header {{X-Tapestry-ErrorMessage}} in production mode.
Instead, a generic "An error occurred." should be used, as the message exposes
app internals.
The client-side code in {{ajax.coffee}} only uses the header detecting if an
error occurred and logging it to {{console.error}}, so its actual value is
irrelevant.
Omitting the header completely would mean reworking {{ajax.coffee}}, as the
header indicates that the response might contain HTML content for the exception
frame.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
