probably it is too late to change it now, but someone has to say it: I
think it is the wrong approach to do HTML escaping in the API on the
Twitter side. For starters, not every consumer is a Website. Secondly,
even if I am a website, now I have to rely on Twitter getting the
escaping right.

I'd much rather rely on my own HTML escaping algorithm, and get the
data in pure form without assumptions about it's use. It should be a
natural reflex for web developers to escape everything, so to put the
Twitter data on my website without escaping it leaves with a very
uneasy feeling (my nervous systems wants to escape the strings).

The workaround is to first unescape the HTML and then escape it again,
I suppose? I haven't thought it through 100% to see if that would be a
fail-save approach.

I just noticed that for example bit.ly is bitten by this, they seem to
escape the data from Twitter, so that the text comes out ugly on their


Reply via email to