hawkbit icon indicating copy to clipboard operation
hawkbit copied to clipboard
verified publisher icon eclipse

DDI rejects faux HTML status messages

Open stschake opened this issue 7 years ago • 0 comments

The DDI feedback API rejects details messages that "appear" to contain HTML content. The logic seems to be nothing more than a "script" appears somewhere inside a substring delimited by '<' and '>', e.g. the message

"Not <actually a script and> why would it even matter"

will already trigger the issue. (Look, GitHub is invincible!)

Pushing the validation effort for this onto the DDI client implementation seems unreasonable. It is perfectly well understood how to safely show user-supplied content for a browser frontend and validators built upon haphazard heuristics as the one in hibernate have a terrible track record regardless.

Root cause is https://github.com/eclipse/hawkbit/blob/master/hawkbit-repository/hawkbit-repository-core/src/main/java/org/eclipse/hawkbit/repository/ValidString.java#L30 suggesting this is an issue present in all other APIs also, given the repository constraints radiate outwards.

stschake avatar Jan 18 '19 09:01 stschake