"<" character in json response

Balamurugan Natarajan

unread,

May 13, 2013, 12:49:45 AM5/13/13

to api-...@googlegroups.com

Hi,

Few api providers (google, facebook etc) replaces "<" character in json response with its unicode characters.

Can anyone explain the reason behind.

Thanks
Bala

Balamurugan Natarajan

unread,

May 15, 2013, 6:45:32 AM5/15/13

to api-...@googlegroups.com

Hi,

I believe that this is to avoid the security hack.

But what kind of attack is possible without this encoding?

Any Idea??

Bala

Walter Brand

unread,

May 16, 2013, 3:59:43 AM5/16/13

to api-...@googlegroups.com

If < was not encoded, it could be possible to insert script-tags on a page and with that insert unwanted code from third parties.

Op woensdag 15 mei 2013 12:45:32 UTC+2 schreef Balamurugan Natarajan het volgende:

Balamurugan Natarajan

unread,

May 17, 2013, 9:31:18 AM5/17/13

to api-...@googlegroups.com

Hi Walter,

Thanks for the reply.

How come the script tag be executable in json response ?

Having security focused,

* adding impurity
* setting context-type as "application/json"
* setting headers 'Content-Disposition' as attachment and X-Content-Type-Options

Do I still need to encode? Is there any link/doc to demonstrate such a hack?

I'm not afraid to encode it in the response. All I want to know the details of the possible attack.

If anyone here knows any related links, plz share with me.

Thanks
Balamurugan

Reply all

Reply to author

Forward