Keep writeStringSlowPath & writeStringSlowPathWithHTMLEscaped func th…

…e same
json-iterator · Mar 13, 2023 · ca479af · ca479af
1 parent de82dbd
commit ca479af
Showing 1 changed file with 28 additions and 2 deletions.
diff --git a/stream_str.go b/stream_str.go
@@ -362,8 +362,34 @@ func writeStringSlowPath(stream *Stream, i int, s string, valLen int) {
 			start = i
 			continue
 		}
-		i++
-		continue
+		c, size := utf8.DecodeRuneInString(s[i:])
+		if c == utf8.RuneError && size == 1 {
+			if start < i {
+				stream.WriteRaw(s[start:i])
+			}
+			stream.WriteRaw(`\ufffd`)
+			i++
+			start = i
+			continue
+		}
+		// U+2028 is LINE SEPARATOR.
+		// U+2029 is PARAGRAPH SEPARATOR.
+		// They are both technically valid characters in JSON strings,
+		// but don't work in JSONP, which has to be evaluated as JavaScript,
+		// and can lead to security holes there. It is valid JSON to
+		// escape them, so we do so unconditionally.
+		// See http://timelessrepo.com/json-isnt-a-javascript-subset for discussion.
+		if c == '\u2028' || c == '\u2029' {
+			if start < i {
+				stream.WriteRaw(s[start:i])
+			}
+			stream.WriteRaw(`\u202`)
+			stream.writeByte(hex[c&0xF])
+			i += size
+			start = i
+			continue
+		}
+		i += size
 	}
 	if start < len(s) {
 		stream.WriteRaw(s[start:])