Simon Willison’s Weblog

Don't serve JSON as text/html. Another sneaky XSS trick.

Posted 5th July 2006 at 11:46 pm

Recent articles

Grok: searching X for "from:elonmusk (Israel OR Palestine OR Hamas OR Gaza)" - 11th July 2025
Phoenix.new is Fly's entry into the prompt-driven app development space - 23rd June 2025
Trying out the new Gemini 2.5 model family - 17th June 2025

http 96 json 143 security 529 xss 60

Monthly briefing

Sponsor me for $10/month and get a curated email digest of the month's most important LLM developments.

Pay me to send you less!

Sponsor & subscribe