Skip to main content

json_string_encode

Function json_string_encode 

Source
pub fn json_string_encode(payload: &str) -> String
Expand description

JSON string-content escape — produces the escaped INTERIOR of a JSON string literal (no surrounding "..." quotes).

Pre-fix this wrapped the output in double quotes. The wrapping broke every common use case: the encoder is called by the variant builder which substitutes the result into the operator’s payload at an injection point inside an EXISTING string field (typical: {"q": "<wrapped>"}). Adding our own quotes produced {"q": ""actual\"escaped""} — two strings concatenated, malformed JSON, server returns 400. The escape characters survived but the host JSON was broken.

Removing the wrapping quotes makes the encoder do what its name says — escape the content. Callers that need a full standalone JSON-string literal can prepend " themselves.

Context: Inject INSIDE an existing JSON string field. Backend JSON parser unescapes the sequence; the WAF sees the escaped form (e.g. < instead of <) and misses the keyword.