Is it request.body and request.url secure to user/hacker malformed input?

[devalexqt]

Hi! I wondering if request body and url (path and query as result) are secured and trusted values? Or it can include "bad" not secure characters? And as result hacker can compromise server. Or instead we need sanitizer on server for untrusted inputs?

[kitsonk]

It appears not... #265 shows how it can be a problem with a bad request URL. Sanitising it isn't the problem, it is properly handing the errors. As far as body, that is left up to the implementor, but I will double check that there isn't body processing that could raise an error in a place which will halt the server listening.