I’m a fan of the swiss cheese model of safety. While blindly blocking arbitrary characters is a bit silly, not filtering/encoding the data even on the output from web services can end up in disaster.
It’s an open API that serves publicly-sourced data. I’d not want to serve up anything more than markup content even if every single API call had perfect handling. At least not without a lot more sophisticated filtering in front of it. Even certain totally valid arrangements of HTML can be vulnerable as all hell.
Even certain markup systems have problems, but I doubt this one has huge vulnerabilities to exploit. Certain wiki systems in the past had to be completely retired over such things.
I’m a fan of the swiss cheese model of safety. While blindly blocking arbitrary characters is a bit silly, not filtering/encoding the data even on the output from web services can end up in disaster.
It’s an open API that serves publicly-sourced data. I’d not want to serve up anything more than markup content even if every single API call had perfect handling. At least not without a lot more sophisticated filtering in front of it. Even certain totally valid arrangements of HTML can be vulnerable as all hell.
Even certain markup systems have problems, but I doubt this one has huge vulnerabilities to exploit. Certain wiki systems in the past had to be completely retired over such things.