From 24f27ed559a2e977b2a22812e8da2b0c89618ee5 Mon Sep 17 00:00:00 2001
From: Charlie Kolb <charlie@n8n.io>
Date: Wed, 3 Jun 2026 08:41:25 +0200
Subject: [PATCH] fix(core): Improve validator error messages for name and
 label fields (#31391)

---
 .../src/dto/api-keys/update-api-key-request.dto.ts        | 4 +++-
 .../api-types/src/dto/user/user-update-request.dto.ts     | 4 ++--
 .../utils/validators/__tests__/no-url.validator.test.ts   | 2 +-
 .../utils/validators/__tests__/no-xss.validator.test.ts   | 8 ++++++--
 packages/@n8n/db/src/utils/validators/no-url.validator.ts | 2 +-
 packages/@n8n/db/src/utils/validators/no-xss.validator.ts | 2 +-
 6 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/packages/@n8n/api-types/src/dto/api-keys/update-api-key-request.dto.ts b/packages/@n8n/api-types/src/dto/api-keys/update-api-key-request.dto.ts
index 31b52659564..d8f70a5bb9c 100644
--- a/packages/@n8n/api-types/src/dto/api-keys/update-api-key-request.dto.ts
+++ b/packages/@n8n/api-types/src/dto/api-keys/update-api-key-request.dto.ts
@@ -11,6 +11,8 @@ const xssCheck = (value: string) =>
 	});
 
 export class UpdateApiKeyRequestDto extends Z.class({
-	label: z.string().max(50).min(1).refine(xssCheck),
+	label: z.string().max(50).min(1).refine(xssCheck, {
+		message: 'Label can only contain letters, numbers, spaces and punctuation',
+	}),
 	scopes: scopesSchema,
 }) {}
diff --git a/packages/@n8n/api-types/src/dto/user/user-update-request.dto.ts b/packages/@n8n/api-types/src/dto/user/user-update-request.dto.ts
index abc044a8f42..10393863543 100644
--- a/packages/@n8n/api-types/src/dto/user/user-update-request.dto.ts
+++ b/packages/@n8n/api-types/src/dto/user/user-update-request.dto.ts
@@ -18,10 +18,10 @@ const nameSchema = () =>
 		.min(1)
 		.max(32)
 		.refine(xssCheck, {
-			message: 'Potentially malicious string',
+			message: 'Name can only contain letters, numbers, spaces and punctuation',
 		})
 		.refine(urlCheck, {
-			message: 'Potentially malicious string',
+			message: 'Name cannot contain a URL',
 		});
 
 export class UserUpdateRequestDto extends Z.class({
diff --git a/packages/@n8n/db/src/utils/validators/__tests__/no-url.validator.test.ts b/packages/@n8n/db/src/utils/validators/__tests__/no-url.validator.test.ts
index 82a0281cc25..d020dd1682f 100644
--- a/packages/@n8n/db/src/utils/validators/__tests__/no-url.validator.test.ts
+++ b/packages/@n8n/db/src/utils/validators/__tests__/no-url.validator.test.ts
@@ -20,7 +20,7 @@ describe('NoUrl', () => {
 				expect(errors).toHaveLength(1);
 				const [error] = errors;
 				expect(error.property).toEqual('name');
-				expect(error.constraints).toEqual({ NoUrl: 'Potentially malicious string' });
+				expect(error.constraints).toEqual({ NoUrl: 'URLs are not allowed' });
 			});
 		}
 	});
diff --git a/packages/@n8n/db/src/utils/validators/__tests__/no-xss.validator.test.ts b/packages/@n8n/db/src/utils/validators/__tests__/no-xss.validator.test.ts
index d755cf3e923..1b961c11980 100644
--- a/packages/@n8n/db/src/utils/validators/__tests__/no-xss.validator.test.ts
+++ b/packages/@n8n/db/src/utils/validators/__tests__/no-xss.validator.test.ts
@@ -30,7 +30,9 @@ describe('NoXss', () => {
 				expect(errors).toHaveLength(1);
 				const [error] = errors;
 				expect(error.property).toEqual('name');
-				expect(error.constraints).toEqual({ NoXss: 'Potentially malicious string' });
+				expect(error.constraints).toEqual({
+					NoXss: 'Only letters, numbers, spaces and punctuation are allowed',
+				});
 			});
 		}
 	});
@@ -111,7 +113,9 @@ describe('NoXss', () => {
 				expect(errors).toHaveLength(1);
 				const [error] = errors;
 				expect(error.property).toEqual('categories');
-				expect(error.constraints).toEqual({ NoXss: 'Potentially malicious string' });
+				expect(error.constraints).toEqual({
+					NoXss: 'Only letters, numbers, spaces and punctuation are allowed',
+				});
 			});
 		}
 	});
diff --git a/packages/@n8n/db/src/utils/validators/no-url.validator.ts b/packages/@n8n/db/src/utils/validators/no-url.validator.ts
index 0cdacaddc18..389b6434972 100644
--- a/packages/@n8n/db/src/utils/validators/no-url.validator.ts
+++ b/packages/@n8n/db/src/utils/validators/no-url.validator.ts
@@ -10,7 +10,7 @@ class NoUrlConstraint implements ValidatorConstraintInterface {
 	}
 
 	defaultMessage() {
-		return 'Potentially malicious string';
+		return 'URLs are not allowed';
 	}
 }
 
diff --git a/packages/@n8n/db/src/utils/validators/no-xss.validator.ts b/packages/@n8n/db/src/utils/validators/no-xss.validator.ts
index 0171cba070a..314eb94f6ed 100644
--- a/packages/@n8n/db/src/utils/validators/no-xss.validator.ts
+++ b/packages/@n8n/db/src/utils/validators/no-xss.validator.ts
@@ -16,7 +16,7 @@ class NoXssConstraint implements ValidatorConstraintInterface {
 	}
 
 	defaultMessage() {
-		return 'Potentially malicious string';
+		return 'Only letters, numbers, spaces and punctuation are allowed';
 	}
 }