Menu
I have a RESTful API that can return both JSON and XML.
Say for example that a request is made for all comments on an artifact such as a document as such: GET /document/DOCUMENT_ID/comments.json. The response looks like this:
[
{
"created_time": 1304598075,
"text": "<script type=\"text/javascript\">alert(document.cookie)</script>",
"user_id": 2293,
"id": 184124
},
{
"created_time": 1304598043,
"text": "It's over ninethousaaaaaanddd!!!",
"user_id": 2293,
"id": 184122
}
]
Within my own service the first comment would be XSS-escaped before presented. But when accessed through the API, I would have to trust the implementor of the API to do the escaping.
If the API is implemented in a web service presented through a browser, the attack vector is quite real.
On the other hand, if the API is implemented in a desktop app, or a mobile application - XSS escaping would be a total nuisance and not needed.
Should I escape all strings I return through the API? Or should I implement a setting so that when registering a third-party application an API implementor could specify whether he would like escaped responses or not?
Would be interesting to learn how other's have dealt with this issue.
657
No you shouldn't - the XSS processing should be done by whatever is actually going to show the data. Many 3rd party ASP.NET controls already implement XSS protection on the text they display, so you could end up with a situation where the text is double-encoded.
163
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
