Does a google API authenticated response needs sanitation?

Do I have to be worried about code injection when doing authenticated calls to any google service using their开发者_如何学C APIs?

Do I need to sanitize/filter the response before using it?

I'm currently using zend GData.

An elaborate answer is appreciated not just yes or no :)

Thank you.

Yes. Yes you do need to sanitize the data. Sort-of.

This is really one of the basic principles of security at work here: Filter In, Escape Out. Basically:

Filter In

Always filter the data that comes into your application. What does that mean?

If the data isn't hard-coded in your source code, you should be filtering it. Even if it comes from something you think you "trust" like your database, or from Google, filter it. Always.

Filtering basically means to check to see if it's what you expect. If you're expecting an alpha-numeric username, and you find a symbol in it, that's a problem. Note that filtering does not mean escaping. It can be "destructive", meaning to replace away the bad parts, or it can be rejecting, meaning to reject the input all together...

Escape Out

Always escape any data that leaves your application. It doesn't matter if it's coming from a trust worth source. It needs to escaped on its way out. And it needs to be escaped appropriately for the context it's going to be used in. So if you're outputting to a database, you'll want to escape one way, and if you're outputting to a HTML block, you'll escape another way...

The question here, is that "does this thing that comes from a remote server need sanitization". And the answer is: yes. Always. Without question.