Simon Willison’s Weblog

Subscribe

Don't serve JSON as text/html. Another sneaky XSS trick.