Thanks to visit codestin.com
Credit goes to github.com

Skip to content

♻️ Validate Server Sent Event fields to avoid applications from sending broken data#15588

Merged
tiangolo merged 1 commit into
masterfrom
validate-sse-fields
May 23, 2026
Merged

♻️ Validate Server Sent Event fields to avoid applications from sending broken data#15588
tiangolo merged 1 commit into
masterfrom
validate-sse-fields

Conversation

@tiangolo

@tiangolo tiangolo commented May 23, 2026
edited
Loading

Copy link
Copy Markdown
Member

Pull Request

Discussion:

Description

♻️ Validate Server Sent Event fields to avoid applications from sending broken data

This was reported multiple times as a "vulnerability" by users probably using automated AI tools, with the argument that if input was taken from the request and passed directly to an event unfiltered, it could break the client.

If an app sets an id or event with multi-line content, I would consider that app broken, and probably the app itself vulnerable to something, not FastAPI. With this change, if any app sets invalid multi-line values (sourced from unfiltered input or in any other way), FastAPI will make it a server error (which it is, as the app is sending invalid data).

I don't think the code before this PR has a bug, less a vulnerability. This change is mainly a quality of life improvement to prevent badly written apps from shooting themselves in the foot by passing unsanitized data directly to a SSE.

AI Disclaimer

Codex with GPT-5.5

AI transcript

Checklist

  • This PR is an obvious typo fix, or it links to a GitHub Discussion for the proposed code change.
  • I added tests for the change.
  • The new or updated tests fail on the main branch and pass on this PR.
  • Coverage stays at 100%.
  • The documentation explains the change if needed.

@codspeed-hq

codspeed-hq Bot commented May 23, 2026
edited
Loading

Copy link
Copy Markdown

Merging this PR will not alter performance

🎉 Hooray! pytest-codspeed just leveled up to 4.4.0!

A heads-up, this is a breaking change and it might affect your current performance baseline a bit. But here's the exciting part - it's packed with new, cool features and promises improved result stability 🥳!
Curious about what's new? Visit our releases page to delve into all the awesome details about this new version.

✅ 20 untouched benchmarks

Comparing validate-sse-fields (1a39e23) with master (6cbdde2)1

Open in CodSpeed

Footnotes

  1. No successful run was found on master (cb83b83) during the generation of this report, so 6cbdde2 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report.

@tiangolo tiangolo marked this pull request as ready for review May 23, 2026 17:22
@tiangolo tiangolo enabled auto-merge (squash) May 23, 2026 17:22
@tiangolo tiangolo merged commit c7fb785 into master May 23, 2026
39 of 40 checks passed
@tiangolo tiangolo deleted the validate-sse-fields branch May 23, 2026 17:23
@hemanthvnp hemanthvnp mentioned this pull request May 31, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

refactor

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tiangolo