Fix XSS in API Responses in CakePHP

API endpoints in CakePHP are prime targets for XSS when developers bypass the built-in View classes. If a controller reflects unsanitized user input in a response without a strict 'application/json' Content-Type, or if the JSON is embedded in an HTML context, browsers may interpret the payload as executable scripts. This vulnerability typically arises from manual JSON encoding or improper response header management.

The Vulnerable Pattern

public function profile() {
    $username = $this->request->getQuery('username');
    // VULNERABLE: Manually echoing JSON without setting the correct Content-Type header
    // This allows browser MIME-sniffing and script execution if the payload is 
    echo json_encode(['username' => $username]);
    return $this->response;
}

The Secure Implementation

The exploit works because browsers may attempt to guess the content type (MIME-sniffing) if the header is missing or generic (like text/html). By using CakePHP's JsonView class, the framework automatically sets the 'Content-Type: application/json' header, which instructs the browser to treat the body as data, not as an executable document. Additionally, ensure that any JSON rendered inside a script tag in a .php template is escaped using 'h()' or 'json_encode' with the 'JSON_HEX_TAG' flag to prevent breaking out of the JS string context.

public function profile() {
    $username = $this->request->getQuery('username');
    $this->set(compact('username'));
    // SECURE: Use CakePHP's built-in JsonView
    // This forces Content-Type: application/json and handles proper encoding
    $this->viewBuilder()->setClassName('Json');
    $this->set('_serialize', ['username']);
}