Episerver with Webapi and Reflected Cross site scripting (XSS)


When using episerver with WebApi - it enable api controller for Reflected Cross site scripting (XSS) vulnerability.

When access resource via '/api/mycontroller/? <script>alert('hi');</script> '

result in 

No HTTP resource was found that matches the request URI 'http://localhost:8888/api/mycontroller/?"> <script>alert("hi");""></script> '.
No action was found on the controller 'GoldStandardTwitterFeed' that matches the request.

Reflected Cross site scripting (XSS) vulnerability. in response.

Note that the script tags are in the xml\JSON source.

If I drop the question mark, /api/mycontroller/. I'm getting correct HttpException.

"A potentially dangerous Request.Path value was detected from the client (<)."></).">

Doesn it due to default Episerver routes configuration, is any way to prevent this?  It's only happen when using webapi with Episerver

Default Route 

     new { id = RouteParameter.Optional 


public class DefaultAPIController : ApiController
	public IEnumerable Get()
		return new string[] { "value1", "value2" };


[Pasting files is not allowed]

Edited, May 19, 2017 17:13

"A potentially dangerous Request.Path" I think is from ASP.NET not from Epi.

Who consumes the API? You could add for example bearer token authentication or reqeust forgery protection or just filter input by some AntiXSS function.

May 26, 2017 9:21

Thanks Johan, It has been resolve. It's puplic page so can't used Bearer Token . Issue was default respose on 404 which include un decoded query string due to generic api route settings  '


We have encoded the respose and clear the respose.

May 26, 2017 10:19
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.