DeJson string deserialization accepts various invalid JSON strings
thomcc opened this issue · comments
After #10 lands, there are two issues with DeJson's string deserialization code:
- Various invalid escapes to get through. Any character that appears after a backslash is allowed more or less.
- Various ASCII control codes are allowed in JSON strings in unescaped form, but it should be an error if any below U+0020 appear without being escaped. (E.g.
Lines 517 to 519 in 0704316
Lines 524 to 526 in 0704316
('\u{0}'..'\u{20}')
that causes an error).
I don't really care a ton about either of these personally, though.