Skip to content

Python: Add json.dumps() as XSS sanitizer#19

Open
mrigankpawagi wants to merge 1 commit into
mainfrom
improve-py-xss-json-response
Open

Python: Add json.dumps() as XSS sanitizer#19
mrigankpawagi wants to merge 1 commit into
mainfrom
improve-py-xss-json-response

Conversation

@mrigankpawagi

@mrigankpawagi mrigankpawagi commented Jun 23, 2026

Copy link
Copy Markdown
Owner

Fix

Adds json.dumps() as a sanitizer for the py/reflective-xss query.

Problem

When user input is serialized via json.dumps() and returned with Content-Type: application/json, browsers do not render it as HTML, making XSS impossible. Additionally, json.dumps() escapes characters like <, >, & in its output. The current query flags these patterns as reflected XSS vulnerabilities.

Validation

JSON API endpoints that serialize user data with json.dumps() and return JSON responses are a common pattern in Flask/Django APIs that the query incorrectly flags.

@kiro-agent
feat: add json.dumps as XSS sanitizer for reflected XSS
1ee5199 
The output of json.dumps() is JSON-formatted data that is typically
returned with application/json Content-Type. Browsers do not render
JSON responses as HTML, preventing XSS attacks. This eliminates false
positives on JSON API endpoints.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mrigankpawagi @kiro-agent