Update v8_09.md

mythz · mythz · commit 86a4a418e532 · 2025-10-15T15:19:00.000+08:00
diff --git a/MyApp/_pages/releases/v8_09.md b/MyApp/_pages/releases/v8_09.md
@@ -3142,3 +3142,26 @@ customizations see the [API Explorer Docs](https://docs.servicestack.net/api-exp
 ## XSS Vulnerability fixed in HtmlFormat.html
 
 Late in this release cycle a Customer has reported a DOM XSS vulnerability in ServiceStack's built-in HtmlFormat.html page which has been fixed in [this commit](https://github.com/ServiceStack/ServiceStack/commit/76df4609410f7b440c3fb153371a1d29b9c06ac0) and available from this ServiceStack v8.9+ release.
+
+Alternatively it can also be prevented by rejecting requests with `"` in its path:
+
+```csharp
+GlobalRequestFilters.Add((req, res, dto) => {
+    if (req.OriginalPathInfo.IndexOf('"') >= 0)
+        throw HttpError.Forbidden("Illegal characters in path");
+});
+```
+
+By reverting to the use old HTML Format:
+
+```csharp
+ServiceStack.Templates.HtmlTemplates.HtmlFormatName = "HtmlFormatLegacy.html";
+```
+
+Or by disabling the auto rendering of HTML API responses:
+
+```csharp
+SetConfig(new HostConfig {
+    EnableAutoHtmlResponses = false
+})
+```
