REST API input is validated by default in controllers
Sanitization means that the object is βcleanedβ and returned.
Validation means an assertion is made that the data is already clean and throws an error if something is found that shouldn't be there.
Strapi methods exist both for sanitization and validation in controllers and they can target input body data, query parameters, and output (only for sanitization).
In Strapi 5, REST API input is validated by default in controllers, instead of accepting invalid data and sanitizing it silently.
This page is part of the breaking changes database and provides information about the breaking change and additional instructions to migrate from Strapi v4 to Strapi 5.
| π Is this breaking change affecting plugins? | Yes |
|---|
| π€ Is this breaking change automatically handled by a codemod? | No |
|---|
Breaking change descriptionβ
In Strapi v4
In v4, query parameters are validated, but input data (create and update body data) is only sanitized.
In Strapi 5
In v5, both query parameters and input data are validated.
Migrationβ
This section regroups useful notes and procedures about the introduced breaking change.
Notesβ
A
400 Bad Requesterror will be thrown if the request has invalid values such as in in the following cases:- relations the user do not have permission to create
- unrecognized values that are not present on a schema
- attempt to writing non-writable fields and internal timestamps like
createdAtandcreatedByfields - usage of the
idfield (other than for connecting relations) to set or update theidof an object
Manual procedureβ
Users should ensure that parameters and input data are valid to avoid 400 errors being thrown. Additional information can be found in the sanitization and validation in controllers documentation.