App vendor vs Plugin vendor - who's responsible for fix?

Question

An app generates a PDF based on user entered data in text fields. Copying and pasting users can inadvertently end up pasting "tags" in the field. Eg -

<foo@bar.com>  

The PDF generator plugin does not like this and crashes throwing an exception. The App vendor says this "escaping needs to be done on the plugin side" as all their tools/plugins are similar - escaping for sql injection, cross site etc. The plugin vendor says the App vendor needs to escape the tags.

My initial thoughts are that this is not enough for a catastrophic error that the plugin throws. I would have liked a PDF to still be generated but with a message "Something went wrong, problem with..." or just ignore the unknown tag and show it as is in the PDF (I've seen this before in a business app). But I'm not sure which side this nice error handling falls on.

In terms of software design, app vs plugin, which side is responsible objectively in this case?

App takes data from the database (originally user entered) and prepares a basic HTML string for conversion, eg in a the App's controller action:

$html = "<html>...<p>$userNotes</p>...</html>";
return Response($this->plugin->htmlToPDF($html));

Answer 1

In the end this is a contractual or interpersonal matter, not technical.

However, there might be some technical considerations. The app usually presents a particular plugin interface. Plugin vendors will have to comply with this interface. If the documented interface deals with unescaped data, the plugin vendor will have to perform the necessary escaping.

In fact, it might be impossible to properly sanitize or escape the data prior to handing it off to a plugin. Different formats have different escaping rules. There is no one format that will be acceptable to all plugins. If the plugins were handed escaped data, most plugins would have to un-escape it first.

As an example of this difficulty, consider user input that contains a " double quote character. How would this have to be escaped for different formats?

• JSON, SQL¹: backslash-escapes: \"
• XML, HTML: character reference &34; or ", sometimes no escape needed
• some CSV dialects: repetition: ""
• POSIX shell: backslash-escape\" or single-quotes: '"'
• CMD shell: caret ^", sometimes no escape needed

¹ Manual escaping for SQL is usually inappropriate, as prepared statements should be preferred.

Similar considerations not only apply for “special characters”, but also for character encodings like UTF-8: the same encoding will not be accepted by all consumers, so the encoding needs to be documented and converted explicitly.