Brion Vibber wrote:
Your ideas to secure api.php output against HTML abuse are interesting, but I don't think the txt and dbg formats can be fixed that way.
Why do we actually have these extra unparseable formats? If they're for debug readability then we can probably just make them HTML-formatted, like jsonfm/xmlfm/etc.
You're talking about api.php?format=txt and api.php?format=dbg? I'd strongly recommend at least rudimentary log sampling on the Wikimedia cluster to check for use frequency before making any decision. People have all sorts of strange use-cases and it could be a rather nasty breaking change for some people. It'd be nice to have hard(er) data before making a decision, even if it turns out that the idea behind having these extra formats was initially misguided.
MZMcBride