Title: ExtraController return text/html instead application/json Last modified: June 8, 2017 --- # ExtraController return text/html instead application/json * [lukaszkbiznesport](https://wordpress.org/support/users/lukaszkbiznesport/) * (@lukaszkbiznesport) * [8 years, 11 months ago](https://wordpress.org/support/topic/extracontroller-return-texthtml-instead-applicationjson/) * Functions `list_terms()` and `list_posts()` return Json content, but in Response header there’s a `text/html` Content-Type instead of `application/json`. * This is potential XSS vulnerability. * [General] Request URL:XXX/wp-admin/admin-ajax.php Request Method:POST Status Code:200 OK Referrer Policy:no-referrer-when-downgrade * [Request Header] POST /wp-admin/admin-ajax.php HTTP/1.1 Connection: keep-alive Content-Length: 44 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36( KHTML, like Gecko) Chrome/59.0.3071.86 Safari/537.36 Content-Type: application/ x-www-form-urlencoded; charset=UTF-8 Accept: application/json, text/javascript,*/*; q=0.01 X-Requested-With: XMLHttpRequest Accept-Encoding: gzip, deflate, br Accept- Language: pl,en-US;q=0.8,en;q=0.6,de-DE;q=0.4,de;q=0.2 * [Response Header] HTTP/1.1 200 OK Date: Thu, 08 Jun 2017 11:39:17 GMT Server: Apache/2.4.10 (Debian) Access-Control-Allow-Credentials: true X-Robots-Tag: noindex X-Content-Type-Options: nosniff Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache- Control: no-cache, must-revalidate, max-age=0 X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 14859 Keep-Alive: timeout =5, max=93 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 <— Should be: application/json Viewing 1 replies (of 1 total) * Plugin Author [Brecht](https://wordpress.org/support/users/brechtvds/) * (@brechtvds) * [8 years, 11 months ago](https://wordpress.org/support/topic/extracontroller-return-texthtml-instead-applicationjson/#post-9209192) * I’m a bit confused. What functions are you referring to? We don’t use list_terms or list_posts anywhere in our code. * Kind regards, Brecht Viewing 1 replies (of 1 total) The topic ‘ExtraController return text/html instead application/json’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/wp-ultimate-recipe.svg) * [WP Ultimate Recipe](https://wordpress.org/plugins/wp-ultimate-recipe/) * [Frequently Asked Questions](https://wordpress.org/plugins/wp-ultimate-recipe/#faq) * [Support Threads](https://wordpress.org/support/plugin/wp-ultimate-recipe/) * [Active Topics](https://wordpress.org/support/plugin/wp-ultimate-recipe/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wp-ultimate-recipe/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wp-ultimate-recipe/reviews/) ## Tags * [ajax](https://wordpress.org/support/topic-tag/ajax/) * [content-type](https://wordpress.org/support/topic-tag/content-type/) * [json](https://wordpress.org/support/topic-tag/json/) * 1 reply * 2 participants * Last reply from: [Brecht](https://wordpress.org/support/users/brechtvds/) * Last activity: [8 years, 11 months ago](https://wordpress.org/support/topic/extracontroller-return-texthtml-instead-applicationjson/#post-9209192) * Status: not resolved