Spiral's high-performance architecture doesn't protect you from fundamental injection flaws. XSS in API responses occurs when an attacker-controlled payload is reflected back into the DOM via an improperly secured endpoint. In Spiral, this usually happens when developers manually construct responses or mismanage the 'Content-Type' header, leading the browser to execute malicious scripts instead of parsing data.

The Vulnerable Pattern

public function index(ServerRequestInterface $request): ResponseInterface
{
    $name = $request->getQueryParams()['name'] ?? 'Guest';
    $response = new \Spiral\Http\Response();
    // VULNERABLE: Reflecting raw input directly into a text/html response
    $response->getBody()->write("
Welcome, $name
");
    return $response->withHeader('Content-Type', 'text/html');
}

The Secure Implementation

To mitigate XSS in Spiral, you must enforce strict output handling. 1. Use the 'ResponseWrapper' service to return JSON payloads; this forces the browser to treat the body as data, not markup. 2. If you must return HTML, use Spiral's 'Views' (Stempler), which provides automatic contextual escaping. 3. Avoid manual manipulation of 'Psr\Http\Message\StreamInterface' with raw user input. 4. Implement a 'Content-Security-Policy' (CSP) middleware to block inline script execution as a secondary layer of defense.

public function index(ResponseWrapper $response, ServerRequestInterface $request): ResponseInterface
{
    $name = $request->getQueryParams()['name'] ?? 'Guest';
    // SECURE: Utilize ResponseWrapper to return JSON.
    // This automatically sets 'Content-Type: application/json' and escapes characters.
    return $response->json([
        'message' => 'Welcome',
        'user' => $name
    ], 200);
}