Several API formats allow the inclusion of arbitrary HTML in responses, and XSS is prevented only by the Content-Type header. This causes a false positive in McAfee Secure and possibly other vulnerability scanners. McAfee can be petitioned to recognise such scan responses as false positives, but this process is difficult and unreliable, and has to be repeated regularly.
I would like to have a configurable "scan-safe" mode, off by default, which will disable the following output formats: php, txt, dbg and dump. The documentation should be updated to indicate that these formats are not preferred and will not work on all installations.
Additionally, json_encode() should use the JSON_HEX_TAG option where it is available (i.e. PHP 5.3.0+), regardless of configuration. In scan-safe mode in PHP<5.3, a JSON encoder which does not pass through "<" characters should be used.
Version: 1.20.x
Severity: normal