Skip to main content

REST API 输入在控制器中默认验证

¥REST API input is validated by default in controllers

清理意味着对象被“清理”并返回。

¥Sanitization means that the object is “cleaned” and returned.

验证意味着断言数据已经干净,如果发现不应该存在的内容,则会引发错误。

¥Validation means an assertion is made that the data is already clean and throws an error if something is found that shouldn't be there.

Strapi 方法既适用于 控制器中的清理和验证,又可以定位输入主体数据、查询参数和输出(仅用于清理)。

¥Strapi methods exist both for sanitization and validation in controllers and they can target input body data, query parameters, and output (only for sanitization).

在 Strapi 5 中,REST API 输入在控制器中默认进行验证,而不是接受无效数据并静默清理。

¥In Strapi 5, REST API input is validated by default in controllers, instead of accepting invalid data and sanitizing it silently.

此页面是 重大变更数据库 的一部分,提供有关重大更改的信息以及从 Strapi v4 迁移到 Strapi 5 的其他说明。

¥This page is part of the breaking changes database and provides information about the breaking change and additional instructions to migrate from Strapi v4 to Strapi 5.

\🔌 此重大更改是否会影响插件?\
\🤖 此重大更改是否由 codemod 自动处理?\

重大更改描述

¥Breaking change description

在 Strapi v4 中

¥In Strapi v4

在 v4 中,查询参数经过验证,但输入数据(创建和更新正文数据)仅经过清理。

¥In v4, query parameters are validated, but input data (create and update body data) is only sanitized.

在 Strapi 5 中

¥In Strapi 5

在 v5 中,查询参数和输入数据都经过验证。

¥In v5, both query parameters and input data are validated.

迁移

¥Migration

本节重新组合了有关引入的重大更改的有用说明和程序。

¥This section regroups useful notes and procedures about the introduced breaking change.

注意

¥Notes

  • 如果请求具有无效值,则会抛出 400 Bad Request 错误,例如在以下情况下:

    ¥A 400 Bad Request error will be thrown if the request has invalid values such as in in the following cases:

    • 用户无权创建的关系

      ¥relations the user do not have permission to create

    • 模式中不存在的无法识别的值

      ¥unrecognized values that are not present on a schema

    • 尝试写入不可写字段和内部时间戳,如 createdAtcreatedBy 字段

      ¥attempt to writing non-writable fields and internal timestamps like createdAt and createdBy fields

    • 使用 id 字段(除了连接关系)来设置或更新对象的 id

      ¥usage of the id field (other than for connecting relations) to set or update the id of an object

手动程序

¥Manual procedure

用户应确保参数和输入数据有效,以避免抛出 400 错误。其他信息可在 控制器中的清理和验证 文档中找到。

¥Users should ensure that parameters and input data are valid to avoid 400 errors being thrown. Additional information can be found in the sanitization and validation in controllers documentation.