encoding/json: mention escaping of '&'

Fixes #7034. LGTM=iant R=golang-codereviews, iant CC=golang-codereviews https://golang.org/cl/57140043
author: Shenghou Ma <minux.ma@gmail.com> 2014-02-05 01:24:51 -0500
committer: Shenghou Ma <minux.ma@gmail.com> 2014-02-05 01:24:51 -0500
commit: 8a2dd16c7489493dab025a2edf3c58c3acab3d3e (patch)
tree: a4fa8195186151ff31123d133aaf20f98b8686d7 /src/pkg/encoding/json/encode.go
parent: 57bc80b5e8631637f0e756afa1872933ca9db231 (diff)
download: go-8a2dd16c7489493dab025a2edf3c58c3acab3d3e.tar.xz
1 files changed, 2 insertions, 1 deletions
diff --git a/src/pkg/encoding/json/encode.go b/src/pkg/encoding/json/encode.go
index 4a77ba1cd2..741ddd89cb 100644
--- a/src/pkg/encoding/json/encode.go
+++ b/src/pkg/encoding/json/encode.go
@@ -44,6 +44,7 @@ import (
 // if an invalid UTF-8 sequence is encountered.
 // The angle brackets "<" and ">" are escaped to "\u003c" and "\u003e"
 // to keep some browsers from misinterpreting JSON output as HTML.
+// Ampersand "&" is also escaped to "\u0026" for the same reason.
 //
 // Array and slice values encode as JSON arrays, except that
 // []byte encodes as a base64-encoded string, and a nil slice
@@ -804,7 +805,7 @@ func (e *encodeState) string(s string) (int, error) {
 				e.WriteByte('r')
 			default:
 				// This encodes bytes < 0x20 except for \n and \r,
-				// as well as < and >. The latter are escaped because they
+				// as well as <, > and &. The latter are escaped because they
 				// can lead to security holes when user-controlled strings
 				// are rendered into JSON and served to some browsers.
 				e.WriteString(`\u00`)
author	Shenghou Ma <minux.ma@gmail.com>	2014-02-05 01:24:51 -0500
committer	Shenghou Ma <minux.ma@gmail.com>	2014-02-05 01:24:51 -0500
commit	8a2dd16c7489493dab025a2edf3c58c3acab3d3e (patch)
tree	a4fa8195186151ff31123d133aaf20f98b8686d7 /src/pkg/encoding/json/encode.go
parent	57bc80b5e8631637f0e756afa1872933ca9db231 (diff)
download	go-8a2dd16c7489493dab025a2edf3c58c3acab3d3e.tar.xz