Should I XSS protect responses from my API?
I have a RESTful API that can return both JSON
and XML
.
Say for example that a request is made for all comments on an artifact such as a document as such: GET /document/DOCUMENT_ID/comments.json
. The response looks like this:
[
{
"created_time": 1304598075,
"text": "<script type=\"text/javascript\">alert(document.cookie)</script>",
"user_id": 2293,
"id": 184124
},
{
开发者_如何学C "created_time": 1304598043,
"text": "It's over ninethousaaaaaanddd!!!",
"user_id": 2293,
"id": 184122
}
]
Within my own service the first comment would be XSS-escaped before presented. But when accessed through the API, I would have to trust the implementor of the API to do the escaping.
If the API is implemented in a web service presented through a browser, the attack vector is quite real.
On the other hand, if the API is implemented in a desktop app, or a mobile application - XSS escaping would be a total nuisance and not needed.
Should I escape all strings I return through the API? Or should I implement a setting so that when registering a third-party application an API implementor could specify whether he would like escaped responses or not?
Would be interesting to learn how other's have dealt with this issue.
No you shouldn't - the XSS processing should be done by whatever is actually going to show the data. Many 3rd party ASP.NET controls already implement XSS protection on the text they display, so you could end up with a situation where the text is double-encoded.
精彩评论