
Squareup API not escaping json outputs. A quick note on unsafe API’s - zenincognito
http://zenincognito.com/squareups-api-not-escaping-json-outputs-a-quick-note-on-unsafe-apis/
======
zenincognito
Happy to hear about people's thought on who is responsible for safeguarding
the API ?

The one consuming the API or the one releasing the API.

~~~
ptoomey3
Unless the API deals exclusively with returning HTML I'd vote it is the
consumer's responsibility. It is impossible for the API producer to know in
what context the consumer intends to use it. For example, what if the API
consumer is an iOS application and intends to use it in a non-webview? The API
should return raw data and leave it up to the consumer to decide how it will
be used and what sorts of escaping may be necessary.

~~~
zenincognito
Its is very intresting outlook. I read a few stack overflow discussions around
this area.

I think that item names specifically inventory product names ought to be
escaped. A person consuming the API may not necessarily expect unescaped
outputs. Although this makes it for a very intresting discussion.

~~~
ptoomey3
Nor might a consumer expect escaped outputs. Using my iOS example, the
consumer would end up with malformed data and be required to manually unescape
every API response. Assuming all data should be escaped is a very HTML centric
view, and only applies to one (albeit popular) consumer of the data. For
example, we don't store html escaped data in the database for the same reason
(we don't know in what context the data will be used).

