GuardAPI Logo
GuardAPI
Automated Security Protocol

How to fix XSS in API Responses
in Poem

Executive Summary

Poem is a high-performance Rust web framework, but like any web toolkit, it's susceptible to XSS if you're reflecting unsanitized input into HTML responses. The core issue arises when handlers return raw strings or manually constructed HTML templates without proper contextual encoding. If an attacker can inject a script tag into a parameter that gets rendered in the response body, you've got a reflected XSS vulnerability.

The Vulnerable Pattern

VULNERABLE CODE
use poem::{handler, web::Query, Route};
use serde::Deserialize;

#[derive(Deserialize)]
struct Params {
name: String,
}


#[handler]
fn hello(Query(params): Query) -> String {
// VULNERABLE: Direct string interpolation into HTML without escaping.
// If name is , it executes in the browser.
format!(“
Hello, {}!
”, params.name)
}

The Secure Implementation

The vulnerable example returns a raw String which, depending on headers, the browser may interpret as HTML. Even if the framework defaults to text/plain, many developers explicitly set Content-Type to text/html for custom templates. The fix involves two steps: 1) Use a library like 'html-escape' to perform entity encoding on user-controlled data (converting < to <, etc.). 2) Use Poem's 'Html' responder type to ensure the 'Content-Type' header is correctly set to 'text/html; charset=utf-8'. For larger projects, use a templating engine like Askama or Maud which provides auto-escaping by default.

SECURE CODE
use poem::{handler, web::Query, web::Html};
use serde::Deserialize;
use html_escape::encode_safe;

#[derive(Deserialize)]
struct Params {
name: String,
}


#[handler]
fn hello(Query(params): Query) -> Html {
// SECURE: Use html_escape crate to encode the input and wrap in Html type.
let escaped_name = encode_safe(&params.name);
Html(format!(“
Hello, {}!
”, escaped_name))
}

System Alert • ID: 2880
Target: API Responses API
Potential Vulnerability

Your API Responses API might be exposed to XSS

74% of API Responses apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X