WoYiGuis BLoG
It seems that most people are not too popular with json xss recently, Google once: http://ha.ckers.org/blog/20060704/cross-site-scripting-vulnerability-in-google/
It seems that you already know this.
Therefore, it is easy to prevent such XSS attacks. For example, the pages with XSS vulnerabilities are as follows:
<? PHP
$ Woyigui = $ _ GET ["xss"];
Echo $ woyigui;
?>
Of course, the specific application is more complex, and the patching method is very simple. developers can change it to the following:
<? PHP
Header ("Content-type: application/json ");
$ Woyigui = $ _ GET ["xss"];
Echo $ woyigui;
?>
Modify the MIME document type. During the test, we found that text/plain and application/x-zip-compressed will be parsed by IE. There should be others, but none of them were tested one by one.
More documents:
Http://www.rfc-editor.org/rfc/rfc4627.txt
Html> http://www.dev411.com/blog/2006/07/24/json-xss-exploit-dont-use-text-html
Http://ha.ckers.org/blog/20060704/cross-site-scripting-vulnerability-in-google/
Http://www.souzz.net/html/Security/3/38128.html
Http://hi.baidu.com/momoca/blog/item/91317bf451b322d9f2d385f8.html Content-type table