d7502248e0
The GraphQL error messages can contain user-supplied input (such as text input that was deemed invalid). However, the validation object's error messages are intended for display (i.e. HTML rendering). To assert that no user-supplied HTML is rendered, escape the GraphQL error messages as they get copied to the validation object. Thanks to Naglis Jonaitis for the report. |
||
---|---|---|
.. | ||
__init__.py | ||
blueprint.py | ||
client.py |