pub fn json_string_encode(payload: &str) -> StringExpand description
JSON string-content escape — produces the escaped INTERIOR of a
JSON string literal (no surrounding "..." quotes).
Pre-fix this wrapped the output in double quotes. The wrapping
broke every common use case: the encoder is called by the
variant builder which substitutes the result into the operator’s
payload at an injection point inside an EXISTING string field
(typical: {"q": "<wrapped>"}). Adding our own quotes produced
{"q": ""actual\"escaped""} — two strings concatenated, malformed
JSON, server returns 400. The escape characters survived but the
host JSON was broken.
Removing the wrapping quotes makes the encoder do what its name
says — escape the content. Callers that need a full standalone
JSON-string literal can prepend " themselves.
Context: Inject INSIDE an existing JSON string field. Backend
JSON parser unescapes the sequence; the WAF sees the escaped
form (e.g. < instead of <) and misses the keyword.