From 461df9d621b6653bec63fcc6f28a9729f89c54e7 Mon Sep 17 00:00:00 2001
From: Simon Resch <simon.resch@code-intelligence.de>
Date: Thu, 3 Mar 2022 09:04:41 +0100
Subject: [PATCH 1/2] Revert "Escape <!--, --> and <script (#20)"

This reverts commit f3512bab078af3f5c533dacc2d410add8c0c1124.
---
 README.md                                     |   4 +-
 .../java/com/google/json/JsonSanitizer.java   |  68 ++------
 .../com/google/json/JsonSanitizerTest.java    | 157 +-----------------
 3 files changed, 18 insertions(+), 211 deletions(-)

diff --git a/README.md b/README.md
index a47e238..3639e2d 100644
--- a/README.md
+++ b/README.md
@@ -69,8 +69,8 @@ The output is well-formed JSON as defined by
 [RFC 4627](http://www.ietf.org/rfc/rfc4627.txt).
 The output satisfies these additional properties:
 
- * The output will not contain the substrings (case-insensitively) `"<script"`, `"</script"` or `"<!--"` and can thus be embedded inside an HTML script element without further encoding.
- * The output will not contain the substring `"]]>"` and can thus be embedded inside an XML CDATA section without further encoding.
+ * The output will not contain the substring (case-insensitively) `"</script"` so can be embedded inside an HTML script element without further encoding.
+ * The output will not contain the substring `"]]>"` so can be embedded inside an XML CDATA section without further encoding.
  * The output is a valid Javascript expression, so can be parsed by Javascript's `eval` builtin (after being wrapped in parentheses) or by `JSON.parse`.  Specifically, the output will not contain any string literals with embedded JS newlines (U+2028 Paragraph separator or U+2029 Line separator).
  * The output contains only valid Unicode [scalar values](http://www.unicode.org/glossary/#unicode_scalar_value) (no isolated [UTF-16 surrogates](http://www.unicode.org/glossary/#surrogate_pair)) that are [allowed in XML](http://www.w3.org/TR/xml/#charsets) unescaped.
 
diff --git a/src/main/java/com/google/json/JsonSanitizer.java b/src/main/java/com/google/json/JsonSanitizer.java
index 874adfa..74908f0 100644
--- a/src/main/java/com/google/json/JsonSanitizer.java
+++ b/src/main/java/com/google/json/JsonSanitizer.java
@@ -544,64 +544,16 @@ private void sanitizeString(int start, int end) {
             }
           }
           break;
-        // Embedding. Disallow <script, </script, <!--, --> and ]]> in string
-        // literals so that the output can be embedded in HTML script elements
-        // and in XML CDATA sections without affecting the parser state.
-        // References:
-        // https://www.w3.org/TR/html53/semantics-scripting.html#restrictions-for-contents-of-script-elements
-        // https://www.w3.org/TR/html53/syntax.html#script-data-escaped-state
-        // https://www.w3.org/TR/html53/syntax.html#script-data-double-escaped-state
-        // https://www.w3.org/TR/xml/#sec-cdata-sect
-        case '<': {
-          // Disallow <!--, which lets the HTML parser switch into the "script
-          // data escaped" state.
-          // Disallow <script, which followed by various characters lets the
-          // HTML parser switch into or out of the "script data double escaped"
-          // state.
-          // Disallow </script, which ends a script block.
-          if (i + 3 >= end) {
-            break;
-          }
-          int la = i + 1;
-          int c1AndDelta = unescapedChar(jsonish, la);
-          char c1 = (char) c1AndDelta;
-          la += c1AndDelta >>> 16;
-          long c2AndDelta = unescapedChar(jsonish, la);
-          char c2 = (char) c2AndDelta;
-          la += c2AndDelta >>> 16;
-          long c3AndEnd = unescapedChar(jsonish, la);
-          char c3 = (char) c3AndEnd;
-          char lc1 = (char) (c1 | 32);
-          char lc2 = (char) (c2 | 32);
-          char lc3 = (char) (c3 | 32);
-          if (
-                  (c1 == '!' && c2 == '-' && c3 == '-') ||
-                          (lc1 == 's' && lc2 == 'c' && lc3 == 'r') ||
-                          (c1 == '/' && lc2 == 's' && lc3 == 'c')
-          ) {
-            replace(i, i + 1, "\\u003c"); // Escaped <
-          }
-          break;
-        }
-        case '>':
-          // Disallow -->, which lets the HTML parser switch out of the "script
-          // data escaped" or "script data double escaped" state.
-          if ((i - 2) >= start) {
-            int lb = i - 1;
-            if ((runSlashPreceding(jsonish, lb) & 1) == 1) {
-              // If the '>' is escaped backup over its slash.
-              lb -= 1;
-            }
-            int cm1AndDelta = unescapedCharRev(jsonish, lb);
-            char cm1 = (char) cm1AndDelta;
-            if ('-' == cm1) {
-                lb -= cm1AndDelta >>> 16;
-                int cm2AndDelta = unescapedCharRev(jsonish, lb);
-                char cm2 = (char) cm2AndDelta;
-                if ('-' == cm2) {
-                    replace(i, i + 1, "\\u003e"); // Escaped >
-                }
-            }
+        // Embedding.  Disallow </script and ]]> in string literals so that
+        // the output can be embedded in HTML script elements and in XML CDATA
+        // sections.
+        case '/':
+          // Don't over escape.  Many JSON bodies contain innocuous HTML
+          // that can be safely embedded.
+          if (i > start && i + 2 < end && '<' == jsonish.charAt(i - 1)
+              && 's' == (jsonish.charAt(i + 1) | 32)
+              && 'c' == (jsonish.charAt(i + 2) | 32)) {
+            insert(i, '\\');
           }
           break;
         case ']':
diff --git a/src/test/java/com/google/json/JsonSanitizerTest.java b/src/test/java/com/google/json/JsonSanitizerTest.java
index 6a397b6..50bbf62 100644
--- a/src/test/java/com/google/json/JsonSanitizerTest.java
+++ b/src/test/java/com/google/json/JsonSanitizerTest.java
@@ -58,12 +58,14 @@ public static final void testSanitize() {
     assertSanitized("\"foo\"");
     assertSanitized("\"foo\"", "'foo'");
     assertSanitized(
-        "\"\\u003cscript>foo()\\u003c/script>\"", "\"<script>foo()</script>\"");
-    assertSanitized("\"\\u003c/SCRIPT\\n>\"", "\"</SCRIPT\n>\"");
-    assertSanitized("\"\\u003c/ScRIpT\"", "\"</ScRIpT\"");
+        "\"<script>foo()<\\/script>\"", "\"<script>foo()</script>\"");
+    assertSanitized(
+        "\"<script>foo()<\\/script>\"", "\"<script>foo()</script>\"");
+    assertSanitized("\"<\\/SCRIPT\\n>\"", "\"</SCRIPT\n>\"");
+    assertSanitized("\"<\\/ScRIpT\"", "\"</ScRIpT\"");
     // \u0130 is a Turkish dotted upper-case 'I' so the lower case version of
     // the tag name is "script".
-    assertSanitized("\"\\u003c/ScR\u0130pT\"", "\"</ScR\u0130pT\"");
+    assertSanitized("\"<\\/ScR\u0130pT\"", "\"</ScR\u0130pT\"");
     assertSanitized("\"<b>Hello</b>\"");
     assertSanitized("\"<s>Hello</s>\"");
     assertSanitized("\"<[[\\u005d]>\"", "'<[[]]>'");
@@ -211,151 +213,4 @@ public static final void testIssue13() {
         "[ { \"description\": \"aa##############aa\" }, 1 ]",
         "[ { \"description\": \"aa##############aa\" }, 1 ]");
   }
-
-  @Test
-  public static final void testHtmlParserStateChanges() {
-    assertSanitized("\"\\u003cscript\"", "\"<script\"");
-    assertSanitized("\"\\u003cScript\"", "\"<Script\"");
-    // \u0130 is a Turkish dotted upper-case 'I' so the lower case version of
-    // the tag name is "script".
-    assertSanitized("\"\\u003cScR\u0130pT\"", "\"<ScR\u0130pT\"");
-    assertSanitized("\"\\u003cSCRIPT\\n>\"", "\"<SCRIPT\n>\"");
-    assertSanitized("\"script\"", "<script");
-
-    assertSanitized("\"\\u003c!--\"", "\"<!--\"");
-    assertSanitized("-0", "<!--");
-
-    assertSanitized("\"--\\u003e\"", "\"-->\"");
-    assertSanitized("-0", "-->");
-
-    assertSanitized("\"\\u003c!--\\u003cscript>\"", "\"<!--<script>\"");
-  }
-
-  @Test
-  public static final void testLongOctalNumberWithBadDigits() {
-    // Found by Fabian Meumertzheim using CI Fuzz (https://www.code-intelligence.com)
-    assertEquals(
-            "-888888888888888888888",
-            JsonSanitizer.sanitize("-0888888888888888888888")
-    );
-  }
-
-  @Test
-  public static final void testLongNumberInUnclosedInputWithU80() {
-    // Found by Fabian Meumertzheim using CI Fuzz (https://www.code-intelligence.com)
-    assertEquals(
-            "{\"\":{\"\":{\"\":{\"\":{\"\":{\"\":{\"x80\":{\"\":{\"\":[-400557869725698078427]}}}}}}}}}",
-            JsonSanitizer.sanitize("{{{{{{{\\x80{{([-053333333304233333333333")
-    );
-  }
-
-  @Test
-  public static final void testSlashFour() {
-    // Found by Fabian Meumertzheim using CI Fuzz (https://www.code-intelligence.com)
-    assertEquals("\"y\\u0004\"", JsonSanitizer.sanitize("y\\4")); // "y\4"
-  }
-
-  @Test
-  public static final void testUnterminatedObject() {
-    // Found by Fabian Meumertzheim using CI Fuzz (https://www.code-intelligence.com)
-    String input = "?\u0000\u0000\u0000{{\u0000\ufffd\u0003]ve{R]\u00000\ufffd\u0016&e{\u0003]\ufffda<!.b<!<!cc1x\u0000\u00005{281<\u0000.{t\u0001\ufffd5\ufffd{5\ufffd\ufffd0\ufffd15\r\ufffd\u0000\u0000\u0000~~-0081273222428822883223759,55\ufffd\u0000\ufffd\t\u0000\ufffd";
-    String got = JsonSanitizer.sanitize(input);
-    String want = "{\"\":{},\"ve\":{\"R\":null},\"0\":\"e\",\"\":{},\"a<!.b<!<!cc1x\":5,\"\":{\"281\":0.0,\"\":{\"t\":5,\"\":{\"5\":0,\"15\"\r:-81273222428822883223759,\"55\"\t:null}}}}";
-    assertEquals(want, got);
-  }
-
-  @Test
-  public static final void testCrash1() {
-    // Found by Fabian Meumertzheim using CI Fuzz (https://www.code-intelligence.com)
-    String input = "?\u0000\u0000\u0000{{\u0000\ufffd\u0003]ve{R]\u00000\ufffd\ufffd\u0016&e{\u0003]\ufffda<!.b<!<!c\u00005{281<\u0000.{t\u0001\ufffd5\ufffd{515\r[\u0000\u0000\u0000~~-008127322242\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd23759,551x\u0000\u00006{281<\u0000.{t\u0001\ufffd5\ufffd{5\ufffd\ufffd0\ufffd15\r[\u0000\u0000\u0000~~-0081273222428822883223759,\ufffd";
-    String want = "{\"\":{},\"ve\":{\"R\":null},\"0\":\"e\",\"\":{},\"a<!.b<!<!c\":5,\"\":{\"281\":0.0,\"\":{\"t\":5,\"\":{\"515\"\r:[-8127322242,23759,551,6,{\"281\":0.0,\"\":{\"t\":5,\"\":{\"5\":0,\"15\"\r:[-81273222428822883223759]}}}]}}}}";
-    String got = JsonSanitizer.sanitize(input);
-    assertEquals(want, got);
-  }
-
-  @Test
-  public static final void testDisallowedSubstrings() {
-    // Found by Fabian Meumertzheim using CI Fuzz (https://www.code-intelligence.com)
-    String[] inputs = {
-            "x<\\script>",
-            "x</\\script>",
-            "x</sc\\ript>",
-            "x<\\163cript>",
-            "x</\\163cript>",
-            "x<\\123cript>",
-            "x</\\123cript>",
-            "u\\u\\uu\ufffd\ufffd\\u7u\\u\\u\\u\ufffdu<\\script>5",
-            "z\\<\\!--",
-            "z\\<!\\--",
-            "z\\<!-\\-",
-            "z\\<\\!--",
-            "\"\\]]\\>",
-    };
-    for (String input : inputs) {
-      String out = JsonSanitizer.sanitize(input).toLowerCase(Locale.ROOT);
-      assertFalse(out, out.contains("<!--"));
-      assertFalse(out, out.contains("-->"));
-      assertFalse(out, out.contains("<script"));
-      assertFalse(out, out.contains("</script"));
-      assertFalse(out, out.contains("]]>"));
-      assertFalse(out, out.contains("<![cdata["));
-    }
-  }
-
-  @Test
-  public static final void testXssPayload() {
-    // Found by Fabian Meumertzheim using CI Fuzz (https://www.code-intelligence.com)
-    String input = "x</\\script>u\\u\\uu\ufffd\ufffd\\u7u\\u\\u\\u\ufffdu<\\script>5+alert(1)//";
-    assertEquals(
-            "\"x\\u003c/script>uuuu\uFFFD\uFFFDu7uuuu\uFFFDu\\u003cscript>5+alert(1)//\"",
-            JsonSanitizer.sanitize(input)
-    );
-  }
-
-  @Test
-  public static final void testInvalidOutput() {
-    // Found by Fabian Meumertzheim using CI Fuzz (https://www.code-intelligence.com)
-    String input = "\u0010{'\u0000\u0000'\"\u0000\"{.\ufffd-0X29295909049550970,\n\n0";
-    String want = "{\"\\u0000\\u0000\":\"\\u0000\",\"\":{\"0\":-47455995597866469744,\n\n\"0\":null}}";
-    String got = JsonSanitizer.sanitize(input);
-    assertEquals(want, got);
-  }
-
-  @Test
-  public static final void testBadNumber() {
-    String input = "¶0x.\\蹃4\\À906";
-    String want = "0.0";
-    String got = JsonSanitizer.sanitize(input);
-    assertEquals(want, got);
-  }
-
-  @Test
-  public static final void testDashDashGtEscaped() {
-    String input = "'->??-\\->";
-    String want = "\"->??--\\u003e\"";
-    String got1 = JsonSanitizer.sanitize(input);
-    assertEquals(want, got1);
-    String got2 = JsonSanitizer.sanitize(got1);
-    assertEquals(want, got2);
-  }
-
-  @Test
-  public static final void testDashDashGtUEscaped() {
-    String input = "'.\\u002D->'";
-    String want = "\".\\u002D-\\u003e\"";
-    String got1 = JsonSanitizer.sanitize(input);
-    assertEquals(want, got1);
-    String got2 = JsonSanitizer.sanitize(got1);
-    assertEquals(want, got2);
-  }
-
-  @Test
-  public static final void testEscHtmlCommentClose() {
-    String input = "x--\\>";
-    String want = "\"x--\\u003e\"";
-    String got1 = JsonSanitizer.sanitize(input);
-    assertEquals(want, got1);
-    String got2 = JsonSanitizer.sanitize(got1);
-    assertEquals(want, got2);
-  }
 }

From b25cffe0f7963bdf45f6d17a756e8acb28b92681 Mon Sep 17 00:00:00 2001
From: Simon Resch <simon.resch@code-intelligence.de>
Date: Thu, 3 Mar 2022 17:40:00 +0100
Subject: [PATCH 2/2] Escape <!--, --> and <script (#20)

---
 README.md                                     |   4 +-
 .../java/com/google/json/JsonSanitizer.java   |  68 ++++++--
 .../com/google/json/JsonSanitizerTest.java    | 157 +++++++++++++++++-
 3 files changed, 211 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index 3639e2d..a47e238 100644
--- a/README.md
+++ b/README.md
@@ -69,8 +69,8 @@ The output is well-formed JSON as defined by
 [RFC 4627](http://www.ietf.org/rfc/rfc4627.txt).
 The output satisfies these additional properties:
 
- * The output will not contain the substring (case-insensitively) `"</script"` so can be embedded inside an HTML script element without further encoding.
- * The output will not contain the substring `"]]>"` so can be embedded inside an XML CDATA section without further encoding.
+ * The output will not contain the substrings (case-insensitively) `"<script"`, `"</script"` or `"<!--"` and can thus be embedded inside an HTML script element without further encoding.
+ * The output will not contain the substring `"]]>"` and can thus be embedded inside an XML CDATA section without further encoding.
  * The output is a valid Javascript expression, so can be parsed by Javascript's `eval` builtin (after being wrapped in parentheses) or by `JSON.parse`.  Specifically, the output will not contain any string literals with embedded JS newlines (U+2028 Paragraph separator or U+2029 Line separator).
  * The output contains only valid Unicode [scalar values](http://www.unicode.org/glossary/#unicode_scalar_value) (no isolated [UTF-16 surrogates](http://www.unicode.org/glossary/#surrogate_pair)) that are [allowed in XML](http://www.w3.org/TR/xml/#charsets) unescaped.
 
diff --git a/src/main/java/com/google/json/JsonSanitizer.java b/src/main/java/com/google/json/JsonSanitizer.java
index 74908f0..874adfa 100644
--- a/src/main/java/com/google/json/JsonSanitizer.java
+++ b/src/main/java/com/google/json/JsonSanitizer.java
@@ -544,16 +544,64 @@ private void sanitizeString(int start, int end) {
             }
           }
           break;
-        // Embedding.  Disallow </script and ]]> in string literals so that
-        // the output can be embedded in HTML script elements and in XML CDATA
-        // sections.
-        case '/':
-          // Don't over escape.  Many JSON bodies contain innocuous HTML
-          // that can be safely embedded.
-          if (i > start && i + 2 < end && '<' == jsonish.charAt(i - 1)
-              && 's' == (jsonish.charAt(i + 1) | 32)
-              && 'c' == (jsonish.charAt(i + 2) | 32)) {
-            insert(i, '\\');
+        // Embedding. Disallow <script, </script, <!--, --> and ]]> in string
+        // literals so that the output can be embedded in HTML script elements
+        // and in XML CDATA sections without affecting the parser state.
+        // References:
+        // https://www.w3.org/TR/html53/semantics-scripting.html#restrictions-for-contents-of-script-elements
+        // https://www.w3.org/TR/html53/syntax.html#script-data-escaped-state
+        // https://www.w3.org/TR/html53/syntax.html#script-data-double-escaped-state
+        // https://www.w3.org/TR/xml/#sec-cdata-sect
+        case '<': {
+          // Disallow <!--, which lets the HTML parser switch into the "script
+          // data escaped" state.
+          // Disallow <script, which followed by various characters lets the
+          // HTML parser switch into or out of the "script data double escaped"
+          // state.
+          // Disallow </script, which ends a script block.
+          if (i + 3 >= end) {
+            break;
+          }
+          int la = i + 1;
+          int c1AndDelta = unescapedChar(jsonish, la);
+          char c1 = (char) c1AndDelta;
+          la += c1AndDelta >>> 16;
+          long c2AndDelta = unescapedChar(jsonish, la);
+          char c2 = (char) c2AndDelta;
+          la += c2AndDelta >>> 16;
+          long c3AndEnd = unescapedChar(jsonish, la);
+          char c3 = (char) c3AndEnd;
+          char lc1 = (char) (c1 | 32);
+          char lc2 = (char) (c2 | 32);
+          char lc3 = (char) (c3 | 32);
+          if (
+                  (c1 == '!' && c2 == '-' && c3 == '-') ||
+                          (lc1 == 's' && lc2 == 'c' && lc3 == 'r') ||
+                          (c1 == '/' && lc2 == 's' && lc3 == 'c')
+          ) {
+            replace(i, i + 1, "\\u003c"); // Escaped <
+          }
+          break;
+        }
+        case '>':
+          // Disallow -->, which lets the HTML parser switch out of the "script
+          // data escaped" or "script data double escaped" state.
+          if ((i - 2) >= start) {
+            int lb = i - 1;
+            if ((runSlashPreceding(jsonish, lb) & 1) == 1) {
+              // If the '>' is escaped backup over its slash.
+              lb -= 1;
+            }
+            int cm1AndDelta = unescapedCharRev(jsonish, lb);
+            char cm1 = (char) cm1AndDelta;
+            if ('-' == cm1) {
+                lb -= cm1AndDelta >>> 16;
+                int cm2AndDelta = unescapedCharRev(jsonish, lb);
+                char cm2 = (char) cm2AndDelta;
+                if ('-' == cm2) {
+                    replace(i, i + 1, "\\u003e"); // Escaped >
+                }
+            }
           }
           break;
         case ']':
diff --git a/src/test/java/com/google/json/JsonSanitizerTest.java b/src/test/java/com/google/json/JsonSanitizerTest.java
index 50bbf62..6a397b6 100644
--- a/src/test/java/com/google/json/JsonSanitizerTest.java
+++ b/src/test/java/com/google/json/JsonSanitizerTest.java
@@ -58,14 +58,12 @@ public static final void testSanitize() {
     assertSanitized("\"foo\"");
     assertSanitized("\"foo\"", "'foo'");
     assertSanitized(
-        "\"<script>foo()<\\/script>\"", "\"<script>foo()</script>\"");
-    assertSanitized(
-        "\"<script>foo()<\\/script>\"", "\"<script>foo()</script>\"");
-    assertSanitized("\"<\\/SCRIPT\\n>\"", "\"</SCRIPT\n>\"");
-    assertSanitized("\"<\\/ScRIpT\"", "\"</ScRIpT\"");
+        "\"\\u003cscript>foo()\\u003c/script>\"", "\"<script>foo()</script>\"");
+    assertSanitized("\"\\u003c/SCRIPT\\n>\"", "\"</SCRIPT\n>\"");
+    assertSanitized("\"\\u003c/ScRIpT\"", "\"</ScRIpT\"");
     // \u0130 is a Turkish dotted upper-case 'I' so the lower case version of
     // the tag name is "script".
-    assertSanitized("\"<\\/ScR\u0130pT\"", "\"</ScR\u0130pT\"");
+    assertSanitized("\"\\u003c/ScR\u0130pT\"", "\"</ScR\u0130pT\"");
     assertSanitized("\"<b>Hello</b>\"");
     assertSanitized("\"<s>Hello</s>\"");
     assertSanitized("\"<[[\\u005d]>\"", "'<[[]]>'");
@@ -213,4 +211,151 @@ public static final void testIssue13() {
         "[ { \"description\": \"aa##############aa\" }, 1 ]",
         "[ { \"description\": \"aa##############aa\" }, 1 ]");
   }
+
+  @Test
+  public static final void testHtmlParserStateChanges() {
+    assertSanitized("\"\\u003cscript\"", "\"<script\"");
+    assertSanitized("\"\\u003cScript\"", "\"<Script\"");
+    // \u0130 is a Turkish dotted upper-case 'I' so the lower case version of
+    // the tag name is "script".
+    assertSanitized("\"\\u003cScR\u0130pT\"", "\"<ScR\u0130pT\"");
+    assertSanitized("\"\\u003cSCRIPT\\n>\"", "\"<SCRIPT\n>\"");
+    assertSanitized("\"script\"", "<script");
+
+    assertSanitized("\"\\u003c!--\"", "\"<!--\"");
+    assertSanitized("-0", "<!--");
+
+    assertSanitized("\"--\\u003e\"", "\"-->\"");
+    assertSanitized("-0", "-->");
+
+    assertSanitized("\"\\u003c!--\\u003cscript>\"", "\"<!--<script>\"");
+  }
+
+  @Test
+  public static final void testLongOctalNumberWithBadDigits() {
+    // Found by Fabian Meumertzheim using CI Fuzz (https://www.code-intelligence.com)
+    assertEquals(
+            "-888888888888888888888",
+            JsonSanitizer.sanitize("-0888888888888888888888")
+    );
+  }
+
+  @Test
+  public static final void testLongNumberInUnclosedInputWithU80() {
+    // Found by Fabian Meumertzheim using CI Fuzz (https://www.code-intelligence.com)
+    assertEquals(
+            "{\"\":{\"\":{\"\":{\"\":{\"\":{\"\":{\"x80\":{\"\":{\"\":[-400557869725698078427]}}}}}}}}}",
+            JsonSanitizer.sanitize("{{{{{{{\\x80{{([-053333333304233333333333")
+    );
+  }
+
+  @Test
+  public static final void testSlashFour() {
+    // Found by Fabian Meumertzheim using CI Fuzz (https://www.code-intelligence.com)
+    assertEquals("\"y\\u0004\"", JsonSanitizer.sanitize("y\\4")); // "y\4"
+  }
+
+  @Test
+  public static final void testUnterminatedObject() {
+    // Found by Fabian Meumertzheim using CI Fuzz (https://www.code-intelligence.com)
+    String input = "?\u0000\u0000\u0000{{\u0000\ufffd\u0003]ve{R]\u00000\ufffd\u0016&e{\u0003]\ufffda<!.b<!<!cc1x\u0000\u00005{281<\u0000.{t\u0001\ufffd5\ufffd{5\ufffd\ufffd0\ufffd15\r\ufffd\u0000\u0000\u0000~~-0081273222428822883223759,55\ufffd\u0000\ufffd\t\u0000\ufffd";
+    String got = JsonSanitizer.sanitize(input);
+    String want = "{\"\":{},\"ve\":{\"R\":null},\"0\":\"e\",\"\":{},\"a<!.b<!<!cc1x\":5,\"\":{\"281\":0.0,\"\":{\"t\":5,\"\":{\"5\":0,\"15\"\r:-81273222428822883223759,\"55\"\t:null}}}}";
+    assertEquals(want, got);
+  }
+
+  @Test
+  public static final void testCrash1() {
+    // Found by Fabian Meumertzheim using CI Fuzz (https://www.code-intelligence.com)
+    String input = "?\u0000\u0000\u0000{{\u0000\ufffd\u0003]ve{R]\u00000\ufffd\ufffd\u0016&e{\u0003]\ufffda<!.b<!<!c\u00005{281<\u0000.{t\u0001\ufffd5\ufffd{515\r[\u0000\u0000\u0000~~-008127322242\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd23759,551x\u0000\u00006{281<\u0000.{t\u0001\ufffd5\ufffd{5\ufffd\ufffd0\ufffd15\r[\u0000\u0000\u0000~~-0081273222428822883223759,\ufffd";
+    String want = "{\"\":{},\"ve\":{\"R\":null},\"0\":\"e\",\"\":{},\"a<!.b<!<!c\":5,\"\":{\"281\":0.0,\"\":{\"t\":5,\"\":{\"515\"\r:[-8127322242,23759,551,6,{\"281\":0.0,\"\":{\"t\":5,\"\":{\"5\":0,\"15\"\r:[-81273222428822883223759]}}}]}}}}";
+    String got = JsonSanitizer.sanitize(input);
+    assertEquals(want, got);
+  }
+
+  @Test
+  public static final void testDisallowedSubstrings() {
+    // Found by Fabian Meumertzheim using CI Fuzz (https://www.code-intelligence.com)
+    String[] inputs = {
+            "x<\\script>",
+            "x</\\script>",
+            "x</sc\\ript>",
+            "x<\\163cript>",
+            "x</\\163cript>",
+            "x<\\123cript>",
+            "x</\\123cript>",
+            "u\\u\\uu\ufffd\ufffd\\u7u\\u\\u\\u\ufffdu<\\script>5",
+            "z\\<\\!--",
+            "z\\<!\\--",
+            "z\\<!-\\-",
+            "z\\<\\!--",
+            "\"\\]]\\>",
+    };
+    for (String input : inputs) {
+      String out = JsonSanitizer.sanitize(input).toLowerCase(Locale.ROOT);
+      assertFalse(out, out.contains("<!--"));
+      assertFalse(out, out.contains("-->"));
+      assertFalse(out, out.contains("<script"));
+      assertFalse(out, out.contains("</script"));
+      assertFalse(out, out.contains("]]>"));
+      assertFalse(out, out.contains("<![cdata["));
+    }
+  }
+
+  @Test
+  public static final void testXssPayload() {
+    // Found by Fabian Meumertzheim using CI Fuzz (https://www.code-intelligence.com)
+    String input = "x</\\script>u\\u\\uu\ufffd\ufffd\\u7u\\u\\u\\u\ufffdu<\\script>5+alert(1)//";
+    assertEquals(
+            "\"x\\u003c/script>uuuu\uFFFD\uFFFDu7uuuu\uFFFDu\\u003cscript>5+alert(1)//\"",
+            JsonSanitizer.sanitize(input)
+    );
+  }
+
+  @Test
+  public static final void testInvalidOutput() {
+    // Found by Fabian Meumertzheim using CI Fuzz (https://www.code-intelligence.com)
+    String input = "\u0010{'\u0000\u0000'\"\u0000\"{.\ufffd-0X29295909049550970,\n\n0";
+    String want = "{\"\\u0000\\u0000\":\"\\u0000\",\"\":{\"0\":-47455995597866469744,\n\n\"0\":null}}";
+    String got = JsonSanitizer.sanitize(input);
+    assertEquals(want, got);
+  }
+
+  @Test
+  public static final void testBadNumber() {
+    String input = "¶0x.\\蹃4\\À906";
+    String want = "0.0";
+    String got = JsonSanitizer.sanitize(input);
+    assertEquals(want, got);
+  }
+
+  @Test
+  public static final void testDashDashGtEscaped() {
+    String input = "'->??-\\->";
+    String want = "\"->??--\\u003e\"";
+    String got1 = JsonSanitizer.sanitize(input);
+    assertEquals(want, got1);
+    String got2 = JsonSanitizer.sanitize(got1);
+    assertEquals(want, got2);
+  }
+
+  @Test
+  public static final void testDashDashGtUEscaped() {
+    String input = "'.\\u002D->'";
+    String want = "\".\\u002D-\\u003e\"";
+    String got1 = JsonSanitizer.sanitize(input);
+    assertEquals(want, got1);
+    String got2 = JsonSanitizer.sanitize(got1);
+    assertEquals(want, got2);
+  }
+
+  @Test
+  public static final void testEscHtmlCommentClose() {
+    String input = "x--\\>";
+    String want = "\"x--\\u003e\"";
+    String got1 = JsonSanitizer.sanitize(input);
+    assertEquals(want, got1);
+    String got2 = JsonSanitizer.sanitize(got1);
+    assertEquals(want, got2);
+  }
 }