Sobelow.XSS.ContentType (Sobelow v0.11.1) View Source
If an attacker is able to set arbitrary content types for an HTTP response containing user input, the attacker is likely to be able to leverage this for cross-site scripting (XSS).
For example, consider an endpoint that returns JSON with user input:
If an attacker can control the content type set in the HTTP response, they can set it to "text/html" and update the JSON to the following in order to cause XSS:
Content Type checks can be ignored with the following command:
$ mix sobelow -i XSS.ContentType