Best Practices for JSON String Encoding in an API

[Kevin Wiggen]

We are developing an API that is REST based with JSON payloads.  Like many APIs, a number of the fields that can be set/retrieved are text based and can represent user content.  Are their any best practices for how I should encode this information when passing it to a client.

Note that none of this information is meant to be HTML based, but I can't control what someone might do with my API, and many customer/partners will most likely build a HTML frontend with my data.  Thus it would be possible for someone to give me a string that contains "<b>Kevin</b>"  My backend does not care, but a HTML based API consumer who isn't careful might not like the information I am passing them unless they are careful and properly escape all of my information.

I could take the high road and claim that I am client agnostic and tell people to be careful with the data I am passing, but I can also see someone claiming my server is unsafe if I pass unescaped characters in my JSON responses.

For instance when I type <b>Kevin</b> into facebook, their api returns - "message": "\u003Cb>Kevin\u003C/b>", in the JSON payload.

Best practices???

Thanks,
Kevin

[Andrei Neculau]

I don't think there is any best-practice by looking just at JSON. JSON is unicode enabled by default. It has the feature to support escaped unicode chars as well.

My 2 penny: if the request Accept header says nothing about charset or if it is defined as UTF-8, then reply with UTF-8, otherwise reply with safe JSON

"application/json"

"application/json;charset=UTF-8"

"application/json;charset=ASCII"