Simon Willison’s Weblog

Don't serve JSON as text/html. Another sneaky XSS trick.

Tagged , , ,