I am reinventing the wheel and creating my own JSON parse methods in Java.
I am going by the (very nice!) documentation on json.org. The only part I am unsure about is where it says "or control character"
Since the documentation is so clear, and JSON is so simple and easy to implement, I thought I would go ahead and require the spec instead of being loose.
How would I correctly strip out control characters in Java? Perhaps there is a unicode range?
I have been informed that there are other control characters outside of the defined range 1 2 that can be troublesome in tags.
Most notably the characters U+2028 and U+2029, Line and Paragraph Separator, which act as newlines. Injecting a newline into the middle of a string literal will most likely cause a syntax error (unterminated string literal). 3
Though I believe this does not pose an XSS threat, it is still a good idea to add extra rules for the use in tags.
\u
notation. Those characters are uncommon to begin with. If you like, you could add to the white-list, but I do recommend a white-list approach.
(not case sensitive), which could cause HTML script injection to your page with the characters
. None of those characters are by default encoded in JSON.