I’m a fan of the swiss cheese model of safety. While blindly blocking arbitrary characters is a bit silly, not filtering/encoding the data even on the output from web services can end up in disaster.
It’s an open API that serves publicly-sourced data. I’d not want to serve up anything more than markup content even if every single API call had perfect handling. At least not without a lot more sophisticated filtering in front of it. Even certain totally valid arrangements of HTML can be vulnerable as all hell.
Even certain markup systems have problems, but I doubt this one has huge vulnerabilities to exploit. Certain wiki systems in the past had to be completely retired over such things.
The point of encoding, the process of representing data in a different way, is to have the data set not be tainted. :)
Here, for example: https://www.w3schools.com/html/html_entities.asp
I’m a fan of the swiss cheese model of safety. While blindly blocking arbitrary characters is a bit silly, not filtering/encoding the data even on the output from web services can end up in disaster.
It’s an open API that serves publicly-sourced data. I’d not want to serve up anything more than markup content even if every single API call had perfect handling. At least not without a lot more sophisticated filtering in front of it. Even certain totally valid arrangements of HTML can be vulnerable as all hell.
Even certain markup systems have problems, but I doubt this one has huge vulnerabilities to exploit. Certain wiki systems in the past had to be completely retired over such things.