Hi Sudhakar, What really makes a difference is the Object type and Content-Type returned by your API. If it is XML or JSON, it should be escaped by default.
Cheers, Roberto > On 4 Feb 2019, at 08:03, sudhakarvm <[email protected]> wrote: > > Hi, > > We are using Jersey 2 and not overriding the default json serializer and > deserializer ie Jhonzon. So wanted to check whether Jhonzon escapes the > request payload (for avoiding Cross site scripting attacks - XSS) or do we > have to explicitly escape the input. If we have to escape our-self then can > you suggest the best fit escaping (in put sanitizing) API. > > Thanks in advance, > Sudhakar > > > > -- > Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html
