How to change default Web API 2 to JSON formatter?

Question

I have a Web API project that returns some product data. It negotiates the return type correctly depending on the Accept header (JSON/XML) of the request. The problem is, if

Answer 1

FYI be careful of intercepting the text/html media type because this will also format the 404 responses from your server. And in my case, this led to a potential security issue because:

• malicious user browses to http://api.mysite.com/one/two?test=%3Cscript%3Ealert(%27hi%27)%3C/script%3E
• Web API returns the 404 object, which includes the URL. This is in JSON format because of the attribute above.
• Browser thinks the returned object is actually text/html, so it just renders the JSON object
• This causes the script tag embedded in the URL to execute. In my example URL above it is just an alert, but it could also be a window.location or anything sinister