Escape string fields exposed by the API to avoid XSS attacks

[javiertoledo]

You can learn more about XSS in this Wikipedia page.

Booster APIs only deal with structured data and we don't make assumptions about how this data is going to be rendered in the client application, but there’s nothing stopping a user from storing some HTML that includes a script tag in one read model field and render it without proper escaping.

One thing we could do is escaping all strings returned by our API by default and provide some way to override this in the read models or command responses, maybe with a different UnscapedString type that we can treat differently at API generation time.