# Tutorial 31: NFT JSON and XSS injection

{% hint style="info" %}
[**Book an audit with Zokyo**](https://www.zokyo.io/)
{% endhint %}

#### Introduction to JSON Injection Vulnerabilities in tokenURI Functions

In Solidity-based protocols, the `tokenURI` function is commonly used to return metadata for non-fungible tokens (NFTs). This metadata is often formatted as JSON, containing important information such as the token's name, description, and image. However, improperly handling user input or failing to sanitize data can expose smart contracts to **JSON injection vulnerabilities**. These vulnerabilities allow malicious actors to manipulate the JSON data structure, potentially leading to security breaches such as identity spoofing, cross-site scripting (XSS) attacks, or misleading data representation.

This section will explore how these vulnerabilities arise and detail the risks associated with improper handling of JSON in smart contracts, especially in systems that rely on user-generated content or third-party applications.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://zokyo-auditing-tutorials.gitbook.io/zokyo-tutorials/tutorial-31-nft-json-and-xss-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.