Skip to content

api: Don't HTML escape application/json responses #26432

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

api: Don't HTML escape application/json responses #26432

wants to merge 1 commit into from

Conversation

stefwalter
Copy link

An HTTP response with Content-Type application/json does not need to be HTML escaped. Doing this causes encoding issues in the Podman REST API output as seen in the issue:

Fixes #17769

Remove the HTML escaping from Content-Type: application/json responses.

None

@github-actions github-actions bot added the kind/api-change Change to remote API; merits scrutiny label Jun 14, 2025
@stefwalter stefwalter force-pushed the dont-html-escape-json branch from 09dbbff to 5a95236 Compare June 14, 2025 11:12
@packit-as-a-service Packit-as-a-Service
Copy link

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

giuseppe
giuseppe approved these changes Jun 16, 2025
View reviewed changes
Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jun 16, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe, stefwalter

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 16, 2025
Luap99
Luap99 reviewed Jun 16, 2025
View reviewed changes
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks correct but we will need a test to make sure it works and prevent future regressions, take a look at test/apiv2.

@stefwalter
Copy link
Author

Added a test. It's more of a unit test, is that okay?

Luap99
Luap99 reviewed Jun 24, 2025
View reviewed changes
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unit test is fine, just some small comments, also please sqash the commits, we like to have fix and test in the same commit and make sure it has the proper DCO sign-off line

@stefwalter @claude
api: Don't HTML escape application/json responses
cb4bf17 
An HTTP response with Content-Type application/json does not need
to be HTML escaped. Doing this causes encoding issues in the Podman
REST API output as seen in the issue:

Fixes containers#17769

Remove the HTML escaping from Content-Type: application/json responses.

Signed-off-by: Stef Walter <stef@thewalter.net>
Co-Authored-By: Claude <noreply@anthropic.com>
@stefwalter stefwalter force-pushed the dont-html-escape-json branch from 3db6dde to cb4bf17 Compare June 27, 2025 15:51
@stefwalter
Copy link
Author

Thanks for the review @Luap99 . Made the requested changes, squashed.

Luap99
Luap99 reviewed Jun 27, 2025
View reviewed changes
pkg/api/handlers/utils/handler_test.go
// Verify the data matches what we sent
if !reflect.DeepEqual(parsed, testData) {
t.Errorf("Parsed message doesn't match original: got %v, want %v",
parsed["message"], testData["message"])
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should be parsed, testData as we compare the full thing not just the one field. Otherwise if this ever fails the error message could be confusing since this shows something else then what the code matches.

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@Luap99 Luap99 Luap99 left review comments

@giuseppe giuseppe giuseppe approved these changes

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/api-change Change to remote API; merits scrutiny release-note-none
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

REST API: "\u003cmissing\u003e" instead of "<missing>" in returned Id attribute ( /v1.24/images/${img}/history )
3 participants
@stefwalter @giuseppe @Luap99