Skip to content

Sanitize untrusted text before using in Hibernate

Escape untrusted text so a malicious user is unable to trigger remote code execution exploits by sending special text within the JSON body.

Hibernate will interpolate text surrounded by ${} which can include arbitrary Java. Untrusted data must be escaped to prevent these values from being interpolated during the call to ConstraintValidatorContext.buildConstraintViolationWithTemplate().

Linked Gitlab issue:

Edited by Chris Zhang

Merge request reports