A modern programming language that makes developers happier.

kotlinlang

Hi
We use ktor 3 with ContentNegotiation
Are there ways to protect us against XSS? By escaping or sanitizing every field that is unserialized?

Can you describe your use case to protect against XSS in more detail?

we have a rest server, clients are
• pure rest clients
• a react app

a client could inject some html markups in our database, then if there is a flaw in react app it could eventually be executed

Do you mean for the kotlinx.serialization content converter?

Yes, actually we set ktor with
```install(ContentNegotiation) Httpp```
Reusing the <https://ktor.io/docs/server-serialization.html#create_data_class|example> of the plugin we have serializable data classes
```@Serializable
data class Customer(val id: Int, val firstName: String, val lastName: String)```
And ktor does the deserialization automatically
```post("/customer") {
    val customer = call.receive&lt;Customer&gt;()```
In this example, I'd like `firstName` and `lastName` to be sanitized
I'd like to set it up at one place and make it work for all routes

I can only recommend validating the properties in the `init` block of the `Customer`  class.

Either that, or make an interceptor that you add to the calls