Skip to content

move validation of names into validateSchema#4423

Closed
yaacovCR wants to merge 3 commits intographql:nextfrom
yaacovCR:move-validation
Closed

move validation of names into validateSchema#4423
yaacovCR wants to merge 3 commits intographql:nextfrom
yaacovCR:move-validation

Conversation

@yaacovCR
Copy link
Copy Markdown
Contributor

@yaacovCR yaacovCR commented Jun 3, 2025
edited
Loading

See discussion in #4362.

As noted by @ab-pm, this is a reversion of #3288 which itself reverted some of #1132.

We might need some more context on the motivation behind #3288.

@yaacovCR yaacovCR requested a review from a team as a code owner June 3, 2025 14:11
This was referenced Jun 3, 2025
Open
Closed
@yaacovCR
Copy link
Copy Markdown
Contributor Author

yaacovCR commented Feb 12, 2026

discussed a while back offline with @IvanGoncharov

the reason for moving name validation into constructors was to prevent XSS attacks when displaying schema element names from unvalidated schemas, which apparently is a live concern, and would therefore be a potentially subtle BREAKING CHANGE for v17 with dangerous consequences.

removing these checks is only a modest performance win, up to ~3% in my testing, and so it does not seem worth it to remove.

So closing this PR in favor of other solutions like #4556

@yaacovCR yaacovCR closed this Feb 12, 2026
@yaacovCR yaacovCR deleted the move-validation branch March 29, 2026 18:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yaacovCR