Fix the parser to not accept invalid escapes

CHANGES.md

@@ -2,6 +2,9 @@
 
 ### Unreleased
 
+* Fixed the parser to no longer ignore invalid escapes in strings.
+  Only `\"`, `\\`, `\b`, `\f`, `\n`, `\r`, `\t` and `\u` are valid JSON escapes.
+
 ### 2025-11-07 (2.16.0)
 
 * Deprecate `JSON::State#[]` and `JSON::State#[]=`. Consider using `JSON::Coder` instead.

ext/json/ext/parser/parser.c

@@ -639,44 +639,43 @@ static inline VALUE json_string_fastpath(JSON_ParserState *state, const char *st
 static VALUE json_string_unescape(JSON_ParserState *state, const char *string, const char *stringEnd, bool is_name, bool intern, bool symbolize)
 {
     size_t bufferSize = stringEnd - string;
-    const char *p = string, *pe = string, *unescape, *bufferStart;
+    const char *p = string, *pe = string, *bufferStart;
     char *buffer;
-    int unescape_len;
-    char buf[4];
 
     VALUE result = rb_str_buf_new(bufferSize);
     rb_enc_associate_index(result, utf8_encindex);
     buffer = RSTRING_PTR(result);
     bufferStart = buffer;
 
+#define APPEND_CHAR(chr) *buffer++ = chr; p = ++pe;
+
     while (pe < stringEnd && (pe = memchr(pe, '\\', stringEnd - pe))) {
-        unescape = (char *) "?";
-        unescape_len = 1;
         if (pe > p) {
           MEMCPY(buffer, p, char, pe - p);
           buffer += pe - p;
         }
         switch (*++pe) {
+            case '"':
+            case '/':
+                p = pe; // nothing to unescape just need to skip the backslash
+                break;
+            case '\\':
+                APPEND_CHAR('\\');
+                break;
             case 'n':
-                unescape = (char *) "\n";
+                APPEND_CHAR('\n');
                 break;
             case 'r':
-                unescape = (char *) "\r";
+                APPEND_CHAR('\r');
                 break;
             case 't':
-                unescape = (char *) "\t";
-                break;
-            case '"':
-                unescape = (char *) "\"";
-                break;
-            case '\\':
-                unescape = (char *) "\\";
+                APPEND_CHAR('\t');
                 break;
             case 'b':
-                unescape = (char *) "\b";
+                APPEND_CHAR('\b');
                 break;
             case 'f':
-                unescape = (char *) "\f";
+                APPEND_CHAR('\f');
                 break;
             case 'u':
                 if (pe > stringEnd - 5) {
@@ -714,18 +713,23 @@ static VALUE json_string_unescape(JSON_ParserState *state, const char *string, c
                             break;
                         }
                     }
-                    unescape_len = convert_UTF32_to_UTF8(buf, ch);
-                    unescape = buf;
+
+                    char buf[4];
+                    int unescape_len = convert_UTF32_to_UTF8(buf, ch);
+                    MEMCPY(buffer, buf, char, unescape_len);
+                    buffer += unescape_len;
+                    p = ++pe;
                 }
                 break;
             default:
-                p = pe;
-                continue;
+                if ((unsigned char)*pe < 0x20) {
+                    raise_parse_error_at("invalid ASCII control character in string: %s", state, pe - 1);
+                }
+                raise_parse_error_at("invalid escape character in string: %s", state, pe - 1);
+                break;
         }
-        MEMCPY(buffer, unescape, char, unescape_len);
-        buffer += unescape_len;
-        p = ++pe;
     }
+#undef APPEND_CHAR
 
     if (stringEnd > p) {
       MEMCPY(buffer, p, char, stringEnd - p);
@@ -976,9 +980,6 @@ static inline VALUE json_parse_string(JSON_ParserState *state, JSON_ParserConfig
             case '\\': {
                 state->cursor++;
                 escaped = true;
-                if ((unsigned char)*state->cursor < 0x20) {
-                    raise_parse_error("invalid ASCII control character in string: %s", state);
-                }
                 break;
             }
             default:

java/src/json/ext/StringDecoder.java

@@ -69,6 +69,15 @@ private void handleEscapeSequence(ThreadContext context) throws IOException {
         case 't':
             append('\t');
             break;
+        case '/':
+            append('/');
+            break;
+        case '"':
+            append('"');
+            break;
+        case '\\':
+            append('\\');
+            break;
         case 'u':
             ensureMin(context, 4);
             int cp = readHex(context);
@@ -81,8 +90,8 @@ private void handleEscapeSequence(ThreadContext context) throws IOException {
                 writeUtf8Char(cp);
             }
             break;
-        default: // '\\', '"', '/'...
-            quoteStart();
+        default:
+            throw invalidEscape(context);
         }
     }
 
@@ -174,4 +183,12 @@ protected RaiseException invalidUtf8(ThreadContext context) {
         return Utils.newException(context, Utils.M_PARSER_ERROR,
                                   context.runtime.newString(message));
     }
+
+    protected RaiseException invalidEscape(ThreadContext context) {
+        ByteList message = new ByteList(
+                ByteList.plain("invalid escape character in string: "));
+        message.append(src, charStart, srcEnd - charStart);
+        return Utils.newException(context, Utils.M_PARSER_ERROR,
+                                  context.runtime.newString(message));
+    }
 }

test/json/json_fixtures_test.rb

@@ -10,6 +10,8 @@ class JSONFixturesTest < Test::Unit::TestCase
     source = File.read(f)
     define_method("test_#{name}") do
       assert JSON.parse(source), "Did not pass for fixture '#{File.basename(f)}': #{source.inspect}"
+    rescue JSON::ParserError
+      raise "#{File.basename(f)} parsing failure"
     end
   end
 

test/json/json_parser_test.rb

@@ -510,8 +510,8 @@ def test_backslash
     data = ['"']
     assert_equal data, parse(json)
     #
-    json = '["\\\'"]'
-    data = ["'"]
+    json = '["\\/"]'
+    data = ["/"]
     assert_equal data, parse(json)
 
     json = '["\/"]'