I think maybe this is a bug, or can lead to serious issues about handling user's input; or it's just me using it wrong.
Currently if I use request.validate(), it will merge the query params and body to validate; while our app uses only request.body() to get inputs from users. So if the request.body() contains invalid data, and user tricks the app with correct query params, it will pass the validation.
I think maybe this is a bug, or can lead to serious issues about handling user's input; or it's just me using it wrong.
Currently if I use
request.validate()
, it will merge the query params and body to validate; while our app uses onlyrequest.body()
to get inputs from users. So if therequest.body()
contains invalid data, and user tricks the app with correct query params, it will pass the validation.Is this a bug or it suppose to do this?