While \uxxxx are valid characters in a JSON string, they can create failures when leaving the JSON context, e.g. by writing to a database or piping it to through tools. While most tools may handle this gracefully, there is at least one known exception:
Postgres cannot handle \u0000 in strings in the jsonb type (because the null character is not allowed in text) (see datatype-json).
Consequently, services that forwarding JSON content to sensitive tools must check their input and reject or sanitize characters not supported by their tooling.
A good candidate for adding this warning would be rule #167, however, may be this would be not prominent enough and we should create a new rule: {MUST} sanitize JSON payloads from critical characters
While
\uxxxxare valid characters in a JSON string, they can create failures when leaving the JSON context, e.g. by writing to a database or piping it to through tools. While most tools may handle this gracefully, there is at least one known exception:\u0000in strings in thejsonbtype (because the null character is not allowed intext) (see datatype-json).Consequently, services that forwarding JSON content to sensitive tools must check their input and reject or sanitize characters not supported by their tooling.
A good candidate for adding this warning would be rule #167, however, may be this would be not prominent enough and we should create a new rule: {MUST} sanitize JSON payloads from critical characters