Fix XSS in API Responses in Iris

XSS in API responses occurs when untrusted user input is reflected in the response body without proper encoding or incorrect Content-Type headers. In Iris, this typically happens when developers use generic write methods or HTML-rendering functions to return data that should be strictly treated as JSON, allowing browsers to execute injected scripts via MIME-sniffing or direct HTML interpretation.

The Vulnerable Pattern

app.Get("/profile/{username}", func(ctx iris.Context) {
    username := ctx.Params().Get("username")
    // VULNERABLE: Reflecting raw input into an HTML context
    ctx.HTML("
User: " + username + "
")
})

The Secure Implementation

The vulnerability exists because ctx.HTML sets the Content-Type to text/html, instructing the browser to parse the response as a document. An attacker providing a payload like in the username parameter triggers execution. The fix involves three layers: 1. Use ctx.JSON() which sets application/json, preventing the browser from rendering the payload as HTML. 2. Implement 'X-Content-Type-Options: nosniff' to stop browsers from guessing the content type and executing code in non-HTML files. 3. If HTML reflection is mandatory, use the 'html/template' package or a library like 'bluemonday' to sanitize the input before rendering.

app.Get("/profile/{username}", func(ctx iris.Context) {
    username := ctx.Params().Get("username")
    // SECURE: Use ctx.JSON to enforce application/json and automatic escaping
    ctx.JSON(iris.Map{"username": username})
})
// Alternative: Global security headers middleware
app.Use(func(ctx iris.Context) {
ctx.Header(“X-Content-Type-Options”, “nosniff”)
ctx.Header(“X-Frame-Options”, “DENY”)
ctx.Header(“Content-Security-Policy”, “default-src ‘self’”)
ctx.Next()
})