Output encoding ensures data sent from an API is properly formatted and does not cause unintended effects on the receiving end.
Requiring an API to encode its outputs is a security measure to prevent Cross-Site Scripting (XSS), HTTP Response Splitting, and Log Injection vulnerabilities.
Without proper encoding, an attacker could inject malicious scripts into API responses, which could be executed when displayed in a web application, leading to XSS attacks. Improperly encoded responses could allow attackers to manipulate HTTP headers, causing response splitting that may facilitate cache poisoning or session fixation.
Unencoded user input in logs could introduce log injection issues, obscuring attack traces or triggering unintended system behavior.
Encoding output ensures special characters are safely represented, preventing unintended execution or injection attacks.
Check
Verify the API encodes outputs.
If the API does not encode outputs, this is a finding.