2

I have a customer who wants to ensure that responses from our JSON web service do not contain HTML. So instead of returning a string containing angle brackets they want encoded angle brackets.

Two questions:

  • if I return content type application/json do I need to do this?
  • how can I do this globally in ServiceStack?
David Churchland
  • 292
  • 2
  • 11

1 Answers1

1

if I return content type application/json do I need to do this?

You should always return a JSON Mime Type like application/json for JSON Responses (ServiceStack automatically does this for you).

how can I do this globally in ServiceStack?

Support for Escaping HTML Chars was just added in this commit which will let you globally escape HTML chars into unicode notation with:

JsConfig.EscapeHtmlChars = true;

This change is available from v4.5.7+ that's now available on MyGet.

mythz
  • 141,670
  • 29
  • 246
  • 390
  • Thanks for the response. Do you have any thoughts or suggestions of where to read to determine how serious it is to only send the correct content-type and not escape the HTML? – David Churchland Mar 02 '17 at 09:27
  • @USER9 Setting the content-type isn't relevant, your Customer in all likely hood wants to escape HTML Chars contained in JSON responses, so you'll need to escape it. – mythz Mar 02 '17 at 09:30