Question
I am designing a Web API which returns JSON as the content-type, the response body could contain characters like ', ", < and >, they are valid characters in JSON. So, my question is should I do HTML encode for my Web API response body or should I leave this task to HTML client who is consuming my Web API?
Solution
No; you must not.
You must only escape data if and when you concatenate it into a structured format.
If you return JSON like { "text": "Content by X & Y" }, anyone who reads that JSON will see the literal text &.
It will only work correctly for extremely broken clients who concatenate it directly into their HTML without escaping.
In short:
OTHER TIPS
What platform are you using? For example, Node.js, you can use restify to handle that very well. You don't need to explicitly encode the data. Therefore, please find a restful framework or component to help you out.
https://stackoverflow.com/questions/18326218
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian