api-error-handling
Warn
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (LOW): Detected a vulnerability surface for indirect injection and reflected XSS in the client-side component.\n
- Ingestion points:
ApiClient.jsprocesses JSON response data from the server inrequest(),handleError(), andhandleValidationError().\n - Boundary markers: Absent; data received from the API is treated as trusted content.\n
- Capability inventory: Use of SweetAlert2's
htmlproperty inApiClient.js(lines 115, 137, 150) allows for the execution of arbitrary HTML and JavaScript within the user context.\n - Sanitization: Absent; the code does not sanitize or escape server-reflected values (which often contain user-controlled input like duplicate record values) before rendering them in the UI.\n- Data Exposure & Exfiltration (MEDIUM): Information disclosure of sensitive internal server paths.\n
- Evidence: In
ExceptionHandler.php(line 282), thehandleGenericExceptionmethod includes the full server-side file path and line number of the error in the API response when theAPP_DEBUGconstant is true.\n - Impact: This reveals the internal directory structure of the host (e.g.,
/var/www/html/references/...), providing reconnaissance data that can be leveraged for further attacks or path traversal attempts.
Audit Metadata