Is it possible to XSS exploit JSON responses with proper JavaScript string escaping?
This potential xss vulnerability can be avoided by using the correct Content-Type . Based on RFC 4627 all JSON responses should use the application/json type. The following code is not vulnerable to xss, go ahead test it.
Why not just used the JSON. Parse(response)? I think every major browser now supports it, and it does not execute any code it only reads objects and arrays.
I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.
Related Questions
XSS: REQUEST_URI run through htmlspecialchars() - then replacing & with & - enough to prevent XSS injection?
Character escaping: from Python string literal to JSON and then to HTML?
JSON.Net: Convert JSON string from XML string to instance issue?
Escaping javascript string in java?
Javascript form inputs created dynamically from json and need to map object to proper field from another object and save?
Ajax html vs xml/json responses - perfomance or other reasons?