The error message stored in files, syslog or mail, contains the error message itself, the stack trace and other useful informations. You can configure what should be store exactly.

In the section [error_handling] of the configuration, you have an option messageLogFormat specifing the format of the message. This format supports some special keywords %date%, %ip%, %typeerror%, %code%, %msg%, %url%, %file%, %line%, %params%, %http_error%, \t and \n.

%params% indicates to display all parameters in the HTTP request. However, it may causes privacy issues or security issues, because some parameters may contains some sensitive informations like password, and so they should not be stored into log storages.

To avoid it, you can remove the tag %params% from messageLogFormat. Or you can give a list of parameters that should not be expose into logs.

You can set this list into the configuration, into the option VsensitiveParameters@@ from the error_handling section. By default:

[error_handling]
sensitiveParameters = "password,passwd,pwd"

Or you can also set this list into a controller, in its $sensitiveParameters property:

class passwordCtrl extends jController {

    public $sensitiveParameters = array('pwd', 'pwd_confirm');

    //...
}

When you are using jForms, all fields that are of type <secret>, are automatically declared as sensitive parameters.

Details of error messages are never displayed in the browser (except in the debug bar if you activate it). When an error occured, Jelix displays an error page with the HTTP code 500.

By default, it shows the page stored at lib/jelix/core/response/error.en_US.php. You can provide your own page by copying this file into the app/responses/ directory. Modify this page to customize it with your own design.

Notice that error.en_US.php is a simple php script. You can write any PHP instructions. However, don't call any Jelix objects. The occured error may not appear in a "safe" context (some object may not be present, configured etc). And don't try to display the true error, for security reasons and for better usability. In fact, this page should be almost a static page. Just keep existing echo instructions.

Variables $HEADTOP, $HEADBOTTOM and $BODYTOP are not used for the moment (it is just to be compatible with static pages returned by jResponseBasicHtml). $BODYBOTTOM contains the error message, without details. A variable $BASEPATH is available, containing the base path of the application, for stylesheets etc. However, this variable may be empty in some case, depending of the origin of the error (an error appearing before or during the load of the configuration).

The error page may not be used in some case:

• when there are fatal PHP errors
• when an error occured during the initialization of the configuration file
• when the browser doesn't accept html

In this last case, Jelix returns a simple text content. This text content can be configured into the option errorMessage inside the [error_handling] section of the configuration.