Simon Willison’s Weblog

Don't serve JSON as text/html. Another sneaky XSS trick.

Posted 5th July 2006 at 11:46 pm

Recent articles

Vibe scraping and vibe coding a schedule app for Open Sauce 2025 entirely on my phone - 17th July 2025
Happy 20th birthday Django! Here's my talk on Django Origins from Django's 10th - 13th July 2025
Grok: searching X for "from:elonmusk (Israel OR Palestine OR Hamas OR Gaza)" - 11th July 2025

http 96 json 143 security 529 xss 60

Monthly briefing

Sponsor me for $10/month and get a curated email digest of the month's most important LLM developments.

Pay me to send you less!

Sponsor & subscribe