Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Provide custom 404 view that doesn't echo path (#800)
We get some bogus bug bounty submissions that talk about HTML injection on our 404 Not Found pages, which are default Pyramid views which echo out the `path` of the Request that isn't found. So you can put some gibberish in there, but it looks real jank and would not be a valid social engineering attack, but it should be simple for us to just default this to be quieter so we don't receive these reports. Ref: https://docs.pylonsproject.org/projects/pyramid/en/latest/narr/hooks.html Example: https://ads-api.reddit.com/this_is_a_test_where_i_could_spoof_whatever_i_guess - [x] CI tests (if present) are passing - [x] Adheres to code style for repo - [x] Contributor License Agreement (CLA) completed if not a Reddit employee Co-authored-by: David King <ketralnis@reddit.com>
- Loading branch information