Newer Version Available
Response Body Encoding
| Character | Escaped as |
|---|---|
| < | < |
| > | > |
| " | " |
| ' | ' |
| \ | \ |
| & | & |
Chatter REST API does special encoding of any URL values included in response payloads. The main part of the URL is URL-encoded as per RFC2396, and the query string is HTML-form encoded. This encoding cannot be turned off.
Chatter REST API output can be used in many contexts. Don’t assume that the default entity encoding is appropriate for all contexts. Using Chatter REST API output inside HTML attribute values, inside URLs, with JavaScript, inside <script> tags, and inside CSS all require different encoding and whitelisting. See the Open Web Application Security Project for information on how to handle API output in different contexts.
For non-HTML contexts, such as native mobile applications, Chatter REST API clients can request raw (unencoded) output. Set the X-Chatter-Entity-Encoding HTTP header in a request to false.