From 02c1d10c9fe1d3e66bb5ef8e7e46404e01113383 Mon Sep 17 00:00:00 2001
From: Rusty Russell <rusty@rustcorp.com.au>
Date: Thu, 26 Oct 2017 13:32:19 +1030
Subject: [PATCH] json: escape strings we output in JSON.

We're going to output description strings, which are untrusted.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
---
 common/json.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/common/json.c b/common/json.c
index afb237ee3..9f96ca81e 100644
--- a/common/json.c
+++ b/common/json.c
@@ -412,8 +412,17 @@ void json_add_literal(struct json_result *result, const char *fieldname,
 
 void json_add_string(struct json_result *result, const char *fieldname, const char *value)
 {
+	char *escaped = tal_arr(result, char, strlen(value) * 2 + 1);
+	size_t i, n;
+
 	json_start_member(result, fieldname);
-	result_append_fmt(result, "\"%s\"", value);
+	for (i = n = 0; value[i]; i++) {
+		if (value[i] == '\\' || value[i] == '"')
+			escaped[n++] = '\\';
+		escaped[n++] = value[i];
+	}
+	escaped[n] = '\0';
+	result_append_fmt(result, "\"%s\"", escaped);
 }
 
 void json_add_bool(struct json_result *result, const char *fieldname, bool value)