Closed Dudeplayz closed 12 months ago
That code traces back to the initial implementation https://github.com/FlowingCode/ErrorWindowAddon/blob/4334fca3911faecb7e948aa239daafe9127521d5/src/main/java/com/flowingcode/vaadin/addons/errorwindow/ErrorWindow.java#L183
I guess the idea was to allow HTML formatted messages, which in retrospective is a bad idea because it opens a way to script-injection attacks (at least, it is be possible to write a <script>
tag in the exception message, and have it executed, which is dangerous because the exception message is not necessarily sanitized). I think we have to change the behavior to interpret the message in text-only format, which would be a (well deserved) breaking change.
As a workaround, you can set your own ErrorWindowFactory implementation by calling ErrorManager.setErrorWindowFactory()
from a VaadinServiceInitListener (link to documentation). Then you can copy ErrorWindow
and replace that line.
Thank you for bringing this to our attention. The fix has been merged into version 4.0.0-SNAPSHOT, which is available from our snapshot repository (https://maven.flowingcode.com/snapshots). It will be released in the coming days.
Thanks for the fast fix and good job 👍
Hello. Version 4.0.0
is already available from maven central repository. https://repo1.maven.org/maven2/com/flowingcode/vaadin/addons/error-window-vaadin/4.0.0
An API is returning the following error:
Which results in:
I don't understand why
Span
isn't used directly here: https://github.com/FlowingCode/ErrorWindowAddon/blob/26de67daea91d01b9f41b570fd5c701d7a74b98c/src/main/java/com/flowingcode/vaadin/addons/errorwindow/ErrorWindow.java#L313-L315