summary

Disable Expression Language by default for custom constraint violations

Description

While Hibernate Validator provides the tools to make this perfectly safe and also documents it properly, it looks like users are not very aware of it and have a tendency to push user input to custom constraint violation message templates.

We will have to release a 6.2 for that as it breaks compatibility with the older versions.

Environment

None

Fixed

Assignee

Guillaume Smet

Reporter

Guillaume Smet

Labels

None

Feedback Requested

None

Feedback Requested By

None

backPortable

None

Suitable for new contributors

None

Pull Request

https://github.com/hibernate/hibernate-validator/pull/1138

backportDecision

None

backportReEvaluate

None

Components

engine

Fix versions

6.2.0.CR1

7.0.0.CR1

Priority

Major

Configure