Chatter REST API Developer's Guide

Introducing Chatter REST API
Deciding When to Use Chatter REST API
Chatter REST API Architecture
Chatter REST API Rate Limits
Building the Chatter REST API Resource URL
Sending HTTP Requests
Understanding a Chatter REST API Request and Response
Using Chatter REST API Inputs
Wildcards
Specifying Response Sizes
Response Body Encoding
Status Codes and Error Responses
Understanding OAuth and Chatter REST API
Use CORS to Access Chatter REST API and REST API
Chatter REST API Quick Start
Chatter REST API Features
Chatter REST API Examples
Chatter REST API Resources
Chatter REST API Request Bodies
Chatter REST API Response Bodies
Chatter REST API Appendices
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Response Body Encoding

Chatter REST API responses are minimally HTML entity-encoded by default.
These characters are escaped in all strings:
Character Escaped as
< &lt;
> &gt;
" &quot;
' &#39;
\ &#92;
& &amp;

Chatter REST API does special encoding of any URL values included in response payloads. The main part of the URL is URL-encoded as per RFC2396, and the query string is HTML-form encoded. This encoding cannot be turned off.

Chatter REST API serves user-submitted content that may not be filtered at input and can come from many sources including third-party mobile and web applications. Process Chatter REST API output for the context in which your app uses the output. Failing to process output can expose applications and users to Cross Site Scripting (XSS) exploits and other problems that can result in data loss, application failure, and exposure of company information.

Warning

Chatter REST API output can be used in many contexts. Don’t assume that the default entity encoding is appropriate for all contexts. Using Chatter REST API output inside HTML attribute values, inside URLs, with JavaScript, inside <script> tags, and inside CSS all require different encoding and whitelisting. See the Open Web Application Security Project for information on how to handle API output in different contexts.

For non-HTML contexts, such as native mobile applications, Chatter REST API clients can request raw (unencoded) output. Set the X-Chatter-Entity-Encoding HTTP header in a request to false.