[Rails-core] Best practice to sending a URL in JSON response to API call?

Mon, 26 Feb 2018 23:31:49 -0800 


We have a REST API endpoint that returns a bunch of external URLs for a
resource

The data is of the format:

{
   "resource_data":{
      "name":"Dummny Name",
      "project_name":"Sinstein",
          "logs":" 
http://example.com/cdd921b88114158fd34ae54c2b828bb094dd128c/logs";,
          "public_url":" 
http://example.com/cdd921b88114158fd34ae54c2b828bb094dd128c?auth_token=dummy_token";,
          
"video_url":"http://example.com/cdd921b88114158fd34ae54c2b828bb094dd128c/video-1b6575be8867bfda659b25789c216c268194b2f0.mp4?AWSAccessKeyId=dummyid\u0026Signature=dummysignature\u0026response-content-type=video%2Fmp4";,
   }
}

The URLs that are a part of the data are external URLs that point to where
the files are stored.

We generate a hash of this data in rails and return a JSON from the hash.
This causes the URLs to be encoded
<https://stackoverflow.com/questions/17936318/why-does-to-json-escape-unicode-automatically-in-rails-4>.
I can prevent the encoding using JSON::dump
<https://stackoverflow.com/questions/5123993/json-encoding-wrongly-escaped-rails-3-ruby-1-9-2/14952985#14952985>
instead of relying on *to_json.*

The question that brings up is what is the best practice here? Should the
URLs be encoded when being returned in the body of the response? I
understand that allowing unescaped JSON data to pass around opens up
the possibility
of a security breach
<https://stackoverflow.com/questions/17936318/why-does-to-json-escape-unicode-automatically-in-rails-4/17946022#17946022>
but
in this case, the data is generated by us and does not depend on the user
input.

Should we return unescaped valid URLs or let them be encoded when sending a
response?

-- 
You received this message because you are subscribed to the Google Groups "Ruby 
on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to rubyonrails-core+unsubscr...@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.

Reply via email to