Irrelevant to web API? (original) (raw)
Hi.
This security concern is irrelevant to web API right? That's why it is titled as "Prevent Cross-Site Scripting (XSS) in ASP.NET Core", i.e. web API is not mentioned at all and I guess this is also why the example solutions refer to razor pages, right? In other words, the problem applies to MVC because it builds the pages it serves.
In my understanding, a RESTful web API's response type is typically application/json, so it only declares that it correctly returns json, not web pages. Besides, the API's clients might not even be browsers at all. In other words, it's client agnostic.
And I think this is why I have observed that web API clients that are web pages like SPA libraries, single page applications, take care to properly html encode the content they need to present themselves.
Is this right? The topic is a little vaguely covered in the web.
Thank you.
Λεπτομέρειες εγγράφου
⚠ Μην επεξεργαστείτε αυτή την ενότητα. Απαιτείται για σύνδεση θεμάτων learn.microsoft.com ➟ GitHub.
- ID: 33c64844-bd39-46c9-8b52-192834fa625a
- Version Independent ID: 94f92690-9791-a4eb-9256-30a497afccd1
- Content: Prevent Cross-Site Scripting (XSS) in ASP.NET Core
- Content Source: aspnetcore/security/cross-site-scripting.md
- Product: aspnet-core
- Technology: aspnetcore-security
- GitHub Login: @Rick-Anderson
- Microsoft Alias: riande