Security benefits of encoding HTML special characters in JSON responses

Question

I have recently received a recommendation, from a third party, to encode HTML special characters in all server responses "for security reasons". So:

' --> '
& --> &

e.g.

{ "id": 1, "name": "Miles O'Brien" }

Question: Is there a security gain in doing this, or is it just a paranoia?

Answer 1

& --> &

Are you sure this was the kind of encoding they meant?

There is a reason to encode HTML-special characters being returned inside JSON responses, and that's to avoid XSS causing by unwanted type-sniffing. For example if you had:

{ "name": "<body>Mister <script>...</script>" }

and an attacker included a link to your JSON-returning resource in an HTML context (eg iframe src) then a stupid browser might decide that, due to the giveaway string <body>, your document was not a JSON object but an HTML document. It could then execute the script in your security context, leading to XSS vulns.

The solution to this is to use JSON string literal escaping, for example:

{ "name": "\u003Cbody\u003EMister \u003Cscript\u003E...\u003C/script\u003E" }

Using HTML-escaping in this context, whilst it avoids the problem, has the side-effect of changing the meaning of the strings. "Miles O'Brien" read by a JSON parser is still Miles O'Brien with the ampersand-x-twenty-seven in it, so if you're writing that value to the page using the likes of .value, .textContent or jQuery .text() it's going to look weird.

Now if you were assigning that string to .innerHTML or jQuery .html() instead, then yeah, you'd definitely need to HTML-escape it at some point, regardless of the JSON XSS problem. However I'd suggest that in this case, for separation-of-concerns reasons, that point should be at the client end where you're actually injecting the content into HTML markup, rather than the server side generating the JSON. In general it is better to avoid injecting strings into markup anyhow, when safer DOM-style methods are available.

Answer 2

Depending on what you are using the data for, yes there is a security benefit.

If you were taking user input, and sending it back to your server, then using it to interact with your database; I could potentially terminate one of your strings, and inject my own SQL statements. And even without a malicious mindset, you sending around quotation characters could accidentally terminate strings.