Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-4629

Avoid exposing technical internal error details (allow custom error handling)

    XMLWordPrintable

    Details

    • gh.sprint.customfield.default.name:
      ZK 9.5.0 S1

      Description

      Steps to Reproduce

      manipulate a /zkau request (e.g. via browser dev tools) to send an invalid AU request to the server

      e.g. containing the following: invalid data_0=9 (number instead of JSON-object)

      dtid=z_3cd&cmd_0=onClick&uuid_0=jVAP1&data_0=9
      

      Current Result

      A response containing implementation details, in a non customizable way (using the 'alert' function)
      There's no option at server side to configure the error handling in these cases. Nor a practical way at client side to customize the error display without overriding the 'alert' function globally.

      {"rs":[["alert",["class java.lang.Integer cannot be cast to class java.util.Map (java.lang.Integer and java.util.Map are in module java.base of loader 'bootstrap')",null,null,true]]]}
      

      Expected Result

      Since it's a technical error indicating either an implementation/framework error (not intended for end users), or as in this case (manipulated request parameters), a technical error code is preferable (similar to 467: Request incomplete in case the dtid parameter is missing) with details logged at server side.

      HTTP-Error codes can be handled at server side (error handler) or at client side in the AJAX error handler, to customize the appearance to the end user.

      Debug Information

      responseError method (used only 4 times within the file):
      https://github.com/zkoss/zk/blob/v9.1.0/zk/src/org/zkoss/zk/au/http/DHtmlUpdateServlet.java#L727-L733

      Workaround


        Attachments

          Activity

            People

            Assignee:
            DevChu DevChu
            Reporter:
            cor3000 cor3000
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: