Fix XSS in API Responses in Slim
XSS in APIs occurs when your Slim routes reflect unsanitized input directly into the response body. While often associated with HTML templates, APIs are vulnerable if they lack proper Content-Type headers or return raw data that a browser might 'sniff' and execute. If you're outputting raw strings or failing to enforce application/json, you're handing an execution vector to the attacker.
The Vulnerable Pattern
$app->get('/user/search', function ($request, $response) {
$term = $request->getQueryParams()['q'] ?? '';
// VULNERABLE: Direct reflection of input without encoding or strict Content-Type
$response->getBody()->write("Results for: " . $term);
return $response;
});The Secure Implementation
The fix is twofold: Strict Output Encoding and Header Enforcement. In the vulnerable example, the browser may default to text/html, allowing // and runs json_encode() which escapes dangerous characters. return $response->withJson($data, 200);
});
Your API Responses API
might be exposed to XSS
74% of API Responses apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.