On Thu, Jan 19, 2017 at 4:01 PM, Gergo Tisza <gtisza@wikimedia.org> wrote:
On Thu, Jan 19, 2017 at 7:25 AM, Brad Jorsch (Anomie) <bjorsch@wikimedia.org> wrote:
Because backslash is the escape character in JSON strings, and so needs to be escaped to represent an actual backslash. If your JSON decoder is not properly transforming that token into a native string ending with a single backslash then your JSON decoder is fundamentally broken and should probably be replaced.

I wonder if it would be worth for the API to issue a more specific warning when a token has been submitted but it does not have the format that tokens normally do. Something like "you submitted the tokenĀ abc1234 \ butĀ you were expected to submit the token abc1234+\ which in the raw request should look like abc1234%2B%5C" might make it easier for people to figure out on their own what they are doing wrong.

OTOH, every check of this sort we add is more code complexity. And I note if you're using multipart/form-data, it shouldn't look like "abc1234%2B%5C".


--
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation