== Why is this an issue?

Setting the wrong Content-Type for a response can leave an application vulnerable to cross-site scripting attacks. Specifically, JSON should always be served with the ``++application/json++`` Content-Type.


This rule checks the Content-Type of responses containing classes in the ``++org.json++`` and ``++javax.json++`` packages.


=== Noncompliant code example

[source,java]
----
public void doGet(HttpServletRequest request, HttpServletResponse response) {
  JSONObject jsonRespone = getJsonResponse(request);

  try {
    response.setContentType("text/html");  // Noncompliant; wrong type
    PrintWriter out = response.getWriter();
    out.println(jsonResponse.toJSONString());
    out.close();
  } catch (IOException e) {
    e.printStackTrace();
  }
}

public void doPost(HttpServletRequest request, HttpServletResponse response) {  // Noncompliant; response type not set
  JSONObject jsonRespone = getJsonResponse(request);

  try {
    PrintWriter out = response.getWriter();
    out.println(jsonResponse.toJSONString());
    out.close();
  } catch (IOException e) {
    e.printStackTrace();
  }
}
----


:link-with-uscores1: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

== Resources

* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection
* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)
* {link-with-uscores1}[OWASP, XSS (Cross Site Scripting) Prevention Cheat Sheet] - Rule #3.1

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

endif::env-github,rspecator-view[]