Chatter REST API Developer Guide

Chatter REST API Developer Guide
Introduction
When to Use Chatter REST API
Chatter REST API Architecture
Chatter REST API Rate Limits
Build the Resource URL
Send HTTP Requests
HTTP Request Flow and a Response Body
Inputs and Binary File Upload Examples
Wildcards
Specify Response Sizes
Response Body Encoding
Status Codes and Error Responses
OAuth and Chatter REST API
Use CORS to Access Salesforce Resources from Web Browsers
Quick Start
Work with Features
Examples
Resources
Request Bodies
Response Bodies
Appendices
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Response Body Encoding

Responses are minimally HTML entity-encoded by default.
These characters are escaped in all strings:
Character Escaped as
< &lt;
> &gt;
" &quot;
' &#39;
\ &#92;
& &amp;

URL values included in response payloads have special encoding. The main part of the URL is URL-encoded as per RFC2396, and the query string is HTML-form encoded. This encoding cannot be turned off.

User-submitted content may not be filtered at input and can come from many sources including third-party mobile and web applications. Process API output for the context in which your app uses the output. Failing to process output can expose applications and users to Cross Site Scripting (XSS) exploits and other problems. These problems can result in data loss, application failure, and exposure of company information.

Warning

API output can be used in many contexts. Don’t assume that the default entity encoding is appropriate for all contexts. Using API output inside HTML attribute values, inside URLs, with JavaScript, inside <script> tags, and inside CSS all require different encoding and whitelisting. See the Open Web Application Security Project for information on how to handle API output in different contexts.

Clients can request raw (unencoded) output. Set the X-Chatter-Entity-Encoding HTTP header in a request to false.