User Interface API Developer Guide

Get Started with User Interface API
User Interface API Quick Start
User Interface API Sample Apps
Authentication, Versioning, Limits, ETag, and More
Response Body Encoding
Configure Salesforce CORS Allowlist
Status Codes and Error Responses
API End-of-Life
User Interface API Features
User Interface API Resources
User Interface API Request Bodies
User Interface API Response Bodies
Supported Objects
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Response Body Encoding

Responses are minimally HTML entity-encoded by default.
These characters are escaped in all strings:
Character Escaped as
< &lt;
> &gt;
" &quot;
' &#39;
\ &#92;
& &amp;

URL values included in response payloads have special encoding. The main part of the URL is URL-encoded as per RFC2396, and the query string is HTML-form encoded. This encoding cannot be turned off.

User-submitted content may not be filtered at input and can come from many sources including third-party mobile and web applications. Process API output for the context in which your app uses the output. Failing to process output can expose applications and users to Cross Site Scripting (XSS) exploits and other problems. These problems can result in data loss, application failure, and exposure of company information.

Warning

API output can be used in many contexts. Don’t assume that the default entity encoding is appropriate for all contexts. Using API output inside HTML attribute values, inside URLs, with JavaScript, inside <script> tags, and inside CSS all require different encoding. See the Open Web Application Security Project for information on how to handle API output in different contexts.

Clients can request raw (unencoded) output. Set the X-Chatter-Entity-Encoding HTTP header in a request to false.