`format_sse_event()` interpolated the `event` and `id` fields into SSE
wire-format bytes without stripping or rejecting newline characters. A
`\n` or `\r\n` in either field injects an additional SSE field-line into
the stream — enabling event-type spoofing and fabricated data payloads
in browser EventSource clients.
The `data` and `comment` fields were already protected via `splitlines()`;
the omission for `event` and `id` was an inconsistency, not a design
decision. The identical bug class was fixed in Hono (GHSA-p6xx-57qc-3wxr).
Changes:
- Add `_check_event_no_newline()` validator and apply it to
`ServerSentEvent.event` via `AfterValidator`
- Extend `_check_id_no_null()` to also reject `\n` and `\r`
- Strip `\r`/`\n` in `format_sse_event()` for `event` and `id` as
defense-in-depth (low-level function, bypasses model validators)
- Add 7 regression tests covering LF/CR rejection in both the model
and the low-level formatting function
Severity: Medium (client-side injection; server unaffected)
CWE: CWE-116 — Improper Encoding for Output in a Different Plaintext Context
OWASP: A03:2021 — Injection
Prior art: Hono GHSA-p6xx-57qc-3wxr (same class, same fix pattern)