We have a REST API endpoint that returns a bunch of external URLs for a resource
The data is of the format:
The URLs that are a part of the data are external URLs that point to where the files are stored.
The question that brings up is what is the best practice here? Should the URLs be encoded when being returned in the body of the response? I understand that allowing unescaped JSON data to pass around opens up the possibility of a security breach but in this case, the data is generated by us and does not depend on the user input.
Should we return unescaped valid URLs or let them be encoded when sending a response?