Skip to content

fix: change custom error handler to display message from API #906

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
smarcet merged 1 commit into from
May 11, 2026
+19 −5
Merged

fix: change custom error handler to display message from API #906

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 19 additions & 5 deletions src/actions/ticket-actions.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
import T from "i18n-react/dist/i18n-react";
import pLimit from "p-limit";
import {
VALIDATE,
authErrorHandler,
createAction,
deleteRequest,
Expand Down Expand Up @@ -113,11 +114,24 @@ export const customErrorHandler = (ticketId, err, res) => (dispatch) => {

switch (code) {
case ERROR_CODE_412:
Swal.fire(
"Validation error",
`Ticket number ${ticketId} not found.`,
"warning"
);
if (Array.isArray(err.response.body)) {
err.response.body.forEach((er) => {
msg += `${er}<br>`;
});
} else {
Object.keys(err.response.body).forEach((key) => {
msg += `${err.response.body[key]}<br>`;
});
Comment on lines +117 to +124
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify `msg` has assignments but no local declaration in the changed handler.
rg -nP 'customErrorHandler|ERROR_CODE_412|msg\s*\+=' src/actions/ticket-actions.js -C3
rg -nP '\b(let|const|var)\s+msg\b' src/actions/ticket-actions.js -C1

Repository: fntechgit/summit-admin

Length of output: 1187

msg is undeclared and will crash at runtime.

Lines 119 and 123 use msg without declaring it. This causes a ReferenceError when the ERROR_CODE_412 handler runs. Guard err.response.body before accessing it.

🔧 Proposed fix 
   switch (code) {
-    case ERROR_CODE_412:
-      if (Array.isArray(err.response.body)) {
-        err.response.body.forEach((er) => {
+    case ERROR_CODE_412: {
+      const body = err?.response?.body;
+      if (!body) {
+        Swal.fire("Validation error", "", "warning");
+        break;
+      }
+
+      let msg = "";
+      if (Array.isArray(body)) {
+        body.forEach((er) => {
           msg += `${er}<br>`;
         });
       } else {
-        Object.keys(err.response.body).forEach((key) => {
-          msg += `${err.response.body[key]}<br>`;
+        Object.keys(body).forEach((key) => {
+          msg += `${body[key]}<br>`;
         });
       }
 
       Swal.fire("Validation error", msg, "warning");
+      if (body.errors) {
+        dispatch({
+          type: VALIDATE,
+          payload: { errors: body.errors }
+        });
+      }
+      break;
+    }
-
-      if (err.response.body.errors) {
-        dispatch({
-          type: VALIDATE,
-          payload: { errors: err.response.body }
-        });
-      }
-      break;
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@src/actions/ticket-actions.js` around lines 117 - 124, The ERROR_CODE_412
handler uses msg without declaring it and assumes err.response.body exists;
declare a local variable (e.g., let msg = '') before the body inspection and
guard the access to err.response and err.response.body (e.g., if (err.response
&& err.response.body) { ... }) in the block that contains the
Array.isArray(err.response.body) and Object.keys(...) branches in
src/actions/ticket-actions.js so you won't get a ReferenceError and you safely
handle missing/undefined response bodies.

}

Swal.fire("Validation error", msg, "warning");
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

In SweetAlert2, does Swal.fire(title, html, icon) treat the second argument as HTML, and is it sanitized by default?

💡 Result:

Yes. In SweetAlert2, the shorthand call Swal.fire(title, html, icon) maps the second argument to the html parameter (i.e., the modal body is treated as HTML). No. SweetAlert2 does not sanitize the html parameter by default. Its TypeScript definitions explicitly state that it “does NOT sanitize this parameter” and that escaping user input is the developer’s responsibility to prevent XSS. So, if you pass user-controlled strings as the second argument, you must escape/sanitize them yourself before calling Swal.fire(...).

Citations:

🏁 Script executed:

cat -n src/actions/ticket-actions.js | sed -n '110,145p'

Repository: fntechgit/summit-admin

Length of output: 1252

🏁 Script executed:

cat -n src/actions/ticket-actions.js | sed -n '100,135p'

Repository: fntechgit/summit-admin

Length of output: 1429

🏁 Script executed:

cat -n src/actions/ticket-actions.js | sed -n '80,130p'

Repository: fntechgit/summit-admin

Length of output: 2545

🏁 Script executed:

cat -n src/actions/ticket-actions.js | sed -n '1,130p'

Repository: fntechgit/summit-admin

Length of output: 5937

🏁 Script executed:

rg "customErrorHandler" -B5 -A50 src/actions/ticket-actions.js | head -80

Repository: fntechgit/summit-admin

Length of output: 2686

🏁 Script executed:

rg -B10 "msg +\+=" src/actions/ticket-actions.js

Repository: fntechgit/summit-admin

Length of output: 495

🏁 Script executed:

rg "msg\s*=" src/actions/ticket-actions.js | head -20

Repository: fntechgit/summit-admin

Length of output: 48

🏁 Script executed:

rg "customErrorHandler" -A60 src/actions/ticket-actions.js | head -100

Repository: fntechgit/summit-admin

Length of output: 3157

🏁 Script executed:

rg "let msg|const msg|var msg" src/actions/ticket-actions.js

Repository: fntechgit/summit-admin

Length of output: 48

🏁 Script executed:

rg "msg" src/actions/ticket-actions.js -B2 -A2

Repository: fntechgit/summit-admin

Length of output: 434

🏁 Script executed:

rg "^(let|const|var)\s+msg|^msg\s*=" src/actions/ticket-actions.js

Repository: fntechgit/summit-admin

Length of output: 48

🏁 Script executed:

cat src/actions/ticket-actions.js | grep -n "msg"

Repository: fntechgit/summit-admin

Length of output: 211

🏁 Script executed:

sed -n '110,140p' src/actions/ticket-actions.js | cat -n

Repository: fntechgit/summit-admin

Length of output: 1016

🏁 Script executed:

head -150 src/actions/ticket-actions.js | tail -100

Repository: fntechgit/summit-admin

Length of output: 4315

🏁 Script executed:

wc -l src/actions/ticket-actions.js

Repository: fntechgit/summit-admin

Length of output: 101

🏁 Script executed:

rg "msg\s*=" -B20 src/actions/ticket-actions.js | grep -A20 -B20 "msg"

Repository: fntechgit/summit-admin

Length of output: 48

Use the text parameter instead of rendering API content via SweetAlert's HTML slot.

Line 127 passes API-derived content directly into SweetAlert2's HTML parameter without sanitization. SweetAlert2 does not sanitize the html parameter by default, creating an XSS vulnerability if backend messages contain markup.

Recommended fix 
-      Swal.fire("Validation error", msg, "warning");
+      Swal.fire({
+        title: "Validation error",
+        text: msg.replace(/<br>/g, "\n"),
+        icon: "warning"
+      });
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
Swal.fire("Validation error", msg, "warning");
Swal.fire({
title: "Validation error",
text: msg.replace(/<br>/g, "\n"),
icon: "warning"
});
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@src/actions/ticket-actions.js` at line 127, The Swal.fire call is passing
API-derived content via the HTML slot (Swal.fire("Validation error", msg,
"warning")), which can create XSS; change the call to use the text option
instead and ensure msg is a plain string (e.g. replace with Swal.fire({ title:
"Validation error", text: msg, icon: "warning" })), or alternatively
escape/sanitize msg before displaying; locate the Swal.fire invocation and the
msg variable in src/actions/ticket-actions.js and update the call accordingly.


if (err.response.body.errors) {
dispatch({
type: VALIDATE,
payload: { errors: err.response.body }
});
Comment on lines +129 to +133
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

VALIDATE payload shape is inconsistent with the condition.

You check err.response.body.errors but dispatch payload.errors = err.response.body (entire body). Since src/reducers/tickets/ticket-type-reducer.js stores payload.errors directly, this can break consumers expecting only the errors object/array.

🧩 Proposed fix 
-      if (err.response.body.errors) {
+      if (err.response.body.errors) {
         dispatch({
           type: VALIDATE,
-          payload: { errors: err.response.body }
+          payload: { errors: err.response.body.errors }
         });
       }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if (err.response.body.errors) {
dispatch({
type: VALIDATE,
payload: { errors: err.response.body }
});
if (err.response.body.errors) {
dispatch({
type: VALIDATE,
payload: { errors: err.response.body.errors }
});
}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@src/actions/ticket-actions.js` around lines 129 - 133, The VALIDATE dispatch
is passing the entire err.response.body as payload.errors while the condition
checks err.response.body.errors; update the dispatch in the error handler (where
VALIDATE is dispatched) to set payload.errors to err.response.body.errors (or
use a safe fallback like err.response.body.errors || {}) so the shape matches
what ticket-type-reducer.js expects; locate the VALIDATE dispatch in
src/actions/ticket-actions.js and replace the payload assignment accordingly.

}
break;
default:
dispatch(authErrorHandler(err, res));
Expand Down
Loading