rlevas commented on issue #70: KNOX-1817 - Fix XSS issues with Alias API URL: https://github.com/apache/knox/pull/70#issuecomment-472172680 Since the content type is JSON, I think it would be an issue if the return JSON document contained characters encoded for HTML. This may be confusing to a client using the JSON document since HTML-encoded characters may be re-encoded if being displayed in an HTML document. `<script>...</script>` means something in an HTML document, but has no meaning (other than the literal string) in a JSON document. Therefore I would expect a consumer of a JSON document to properly encode the data for the target viewer. If the target was an HTML document, I would expect that the JSON to HTML translation code would perform the encoding of the string as needed.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
