When accessing, for instance, a revision in the web API, the JSON data is not escaped.
Example : author -> fullname in https://archive.softwareheritage.org/api/1/revision/18d8be353ed3480476f032475e7c233eff7371d5/
This makes us vulnerable to code injections and should be fixed throughout the API views.